b"\x0c\x0c\x0c( U ) T H I S PA G E I N T E N T I O N A L LY L E F T B L A N K\n\n\n\n\n                     DODIG-2013-142 | ii\n\x0c                                          Results in Brief\n                                          DoD Evaluation of Over-Classification of National Security\n                                          Information\n\n\nSeptember 30, 2013                                       We also concluded that some policies, procedures, rules, regulations or\nExecutive Summary of DODIG-2013-142                      management practices may be contributing to persistent misclassification of\n                                                         material. While we did find some instances of over-classification, we do not\nWhat We Did                                              believe that those instances concealed violations of law, inefficiency, or\n                                                         administrative error; prevented embarrassment to a person, organization, or\nThis is the first of two reports that Public             agency; restrained competition; or prevented or delayed the release of\nLaw     111-258,     Section       6(b)     requires,    information not requiring protection in the interest of national security.\nmandating Inspectors General of Federal                  However, we did find several instances where the inaccurate use of\ndepartments, or agencies with an officer or              dissemination control and handling markings could unnecessarily restrict\nemployee who is authorized to make                       information sharing.\noriginal classifications, to:             (A) assess\nwhether applicable classification policies,              Many of the issues we found were similarly reflected in organizational self-\nprocedures, rules, or regulations have been              assessments and fundamental classification guidance review results,\nadopted,      followed,        and         effectively   demonstrating that DoD is aware of weaknesses and is striving to improve.\nadministered; and (B) identify policies,                 The most common discrepancy was incorrect marking of documents. Many\nprocedures,        rules,      regulations,        or    of our interviewees commented on the availability and robustness of\nmanagement         practices       that    may     be    training.\ncontributing to persistent misclassification\nof material. In this report, we address eight            While room for improvement still exists, DoD continues to make advances in\nareas      associated       with      classification     program management, reporting costs, reporting of security classification\nmanagement          and      control         marking     activities, and in advancing policies that will help constrain over-\nprograms. For the second report due under                classification.\nPublic Law 111-258 on September 30, 2016,\nwe will focus on follow-up efforts to                    What We Recommend\nrecommendations outlined in this report.\n                                                         We recommend that the Under Secretary of Defense for Intelligence and for\n                                                         Acquisition, Technology, and Logistics carry out the recommendations\nWhat We Found\n                                                         outlined in this report and continue to leverage the new Defense Security\nWe found that applicable classification                  Enterprise, especially with regard to ensuring that Original Classification\npolicies, procedures, rules, and regulations             Authorities are fully engaged and accountable.\nhave been adopted; however, in some\ncircumstances, they had not been followed                Management Comments and Our Response\nor effectively administered.\n                                                         Both the Under Secretary of Defense for Intelligence and the Under Secretary\n                                                         for   Acquisition,   Technology,   and   Logistics   concurred   with   the\n                                                         recommendations; however, management did not provide information to\nVisit us on the web at www.dodig.mil                     identify what actions will be taken and the date on which recommendations\n                                                         will be completed. Therefore, we request additional comments. Please see\n                                                         the recommendations table on the back of this page.\n                                                         DODIG-2013-142 | iii\n\x0cRecommendations Table\n                                         Recommendations             No Additional\n            Management\n                                         Requiring Comment         Comments Required\n  Under Secretary of Defense for      A1, A2, B, C1, C2, C3, C4,\n  Intelligence                        D1, D2\n  Under Secretary of Defense for\n  Acquisition, Technology, and        C1, C2, C3, C4\n  Logistics\n* Please provide comments by October 30, 2013\n\n\n\n\n                                   DODIG-2013-142 | iv\n\x0cAcronyms and Abbreviations\n       C.F.R.    Code of Federal Regulations\n          DNI    Director of National Intelligence\n          DSE    Defense Security Enterprise\n      DSEAG      Defense Security Enterprise Advisory Group\n  DSE ExCom      Defense Security Enterprise Executive Committee\n          DSS    Defense Security Service\n         E.O.    Executive Order\n         GAO     Government Accountability Office\n            IC   Intelligence Community\n           IG    Inspector General\n        ISOO     Information Security Oversight Office\n       JWICS     Joint Worldwide Intelligence Communication System\n         OCA     Original Classification Authority\n        ODNI     Office of the Director of National Intelligence\n    OUSD(I)      Office of the Under Secretary of Defense for Intelligence\n         OSD     Office of the Secretary of Defense\n          P.L.   Public Law\n         SAO     Senior Agency Official\n           SF    Standard Form\n    SIPRNET      SECRET Internet Protocol Router Network\n      USD(I)     Under Secretary of Defense for Intelligence\n\n\n\n\n                                 DODIG-2013-142 | v\n\x0cDistribution:\n\nSenate Committee on Homeland Security and Governmental Affairs\n\nSenate Select Committee on Intelligence\n\nSenate Committee on Appropriations, Subcommittee on Defense\n\nHouse Committee on Homeland Security\n\nHouse Committee on Appropriations, Subcommittee on Defense\n\nHouse Committee on Oversight and Government Reform\n\nHouse Permanent Select Committee on Intelligence\n\nDirector, Information Security Oversight Office\n\n\n\n\n                                DODIG-2013-142 | vi\n\x0cTable of Contents\nIntroduction ....................................................................................................................1\nObjective...........................................................................................................................1\nBackground .....................................................................................................................1\nScope and Methodology .............................................................................................3\nFinding A: Effectiveness of Security Program Management .....................6\n   Conclusion...................................................................................................................................................... 17\n   Recommendations ...................................................................................................................................... 18\n\nFinding B: Effectiveness of Original Classification Authorities ............ 20\n   Conclusion\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6 ......................... .22\n   Recommendations\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6 ......................... 22\n\nFinding C: Effectiveness of Component Statistical and Cost\nReports ........................................................................................................................... 23\n   Conclusion\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6....................... 30\n   Recommendations\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6 ..................... 30\n\nFinding D: Effectiveness of DoD Security Education and Training ..... 32\n   Conclusion\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6 ................... 36\n   Recommendation\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6 ...................................... 36\n\nAppendix A: Observation ....................................................................................... 37\n   Observation A. Effectiveness of Policies for Developing Classification Decisions\xe2\x80\xa6\xe2\x80\xa6 .... 37\n   Conclusion\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6 ...........................\xe2\x80\xa644\n   Observation B. Classification by Derivative Classifiers\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6 .............................. 45\n   Conclusion\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6 ............................................ 47\n   Observation C. Effectiveness of Self-Inspection Programs ........................................................ 48\n   Conclusion\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6 ............................................ 55\n   Observation D. Intelligence Community Cross-Cutting Issues\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6 ....................... 55\n   Conclusion...................................................................................................................................................... 57\n\n\n\n\n                                                            DODIG-2013-142 | vii\n\x0cAppendix ...................................................................................................................... 58\n   Computer-Processed Data\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6 ............................................. .58\n   Use of Technical Assistance\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6 .............................................. .58\n   Prior Coverage\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6 .......................................... .58\n\nCenter for Development of Security Excellence (CDSE) Course\nOfferings ........................................................................................................................ 59\nManagement Comments .............................................................................. 62\n   Under Secretary of Defense for Intelligence Comments\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6 \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...\xe2\x80\xa6...62\n   Under Secretary of Defense for Acquisition, Technology and Logistics............................... 63\n\n\n\n\n                                                DODIG-2013-142 | viii\n\x0c                                                                                  Introduction\n\n\n\n\nIntroduction\nObjective\nIn accordance with Public Law (P.L.) 111-258, Section 6(b), and in consultation with the\nInformation Security Oversight Office (ISOO), 1 our objective is to evaluate the policies,\nprocedures, rules, regulations, or management practices that may be contributing to\npersistent misclassification of material; and ascertain if the applicable classification\npolicies, procedures, rules, and regulations have been adopted, followed, and effectively\nadministered. This project will facilitate the timely reporting required by the Public\nLaw to address efforts by DoD to decrease over-classification; and promote information\nsharing and transparency in operations in compliance with the law.\n\nBackground\nExecutive orders since 1940 have directed government-wide classification standards\nand procedures. On December 29, 2009, President Obama signed Executive Order (E.O.)\n13526, \xe2\x80\x9cClassified National Security Information,\xe2\x80\x9d which establishes the current\nprinciples, policies, and procedures for classification. The E.O. prescribes a uniform\nsystem for classifying, safeguarding, and declassifying national security information.\nE.O. 13526 also reflects the President\xe2\x80\x99s expressed belief that this nation\xe2\x80\x99s progress\ndepends on the free flow of information, both within the Federal Government and to the\nAmerican people. Accordingly, protecting information critical to national security and\ndemonstrating a commitment to open government through accurate and accountable\napplication of classification standards and routine, secure, and effective declassification\nare equally important priorities.\n\n\nUnder E.O. 13526, classified information that has been determined to require protection\nagainst unauthorized disclosure to prevent damage to national security must be marked\nappropriately to indicate its classified status.\n\n\n\n\n1\n  ISOO is responsible to the President for policy and oversight of the government-wide security\nclassification system and the National Industrial Security Program. ISOO is a component of the\nNational Archives and Records Administration and receives policy and program guidance from\nthe National Security Council.\n\n\n\n                                    DODIG-2013-142 | 1\n\x0c                                                                                    Introduction\n\n\n\nInformation may be originally classified 2 only by Original Classification Authorities\n(OCAs): these are individuals authorized in writing, either by the President, the Vice\nPresident, or agency heads or other officials designated by the President, to initially\nclassify information.     OCAs must receive training on proper classification prior to\noriginally classifying information and at least once per calendar year after that. By\ndefinition, original classification precedes all other aspects of the security classification\nsystem, including derivative classification, 3 safeguarding, and declassification.\nInformation on the six-step process for determining an original classification decision is\ndetailed in Appendix A, Observation A.\n\n\nAll personnel with an active security clearance can perform derivative classification,\nunless an agency limits this activity to specific personnel. All personnel who apply\nderivative classification markings must receive training on the proper application\nprinciples of E.O. 13526 prior to derivatively classifying information and at least once\nevery two years thereafter. Information may be derivatively classified from a source\ndocument or documents, or by using a classification guide.\n\n\nAuthorized holders of information (including authorized holders outside the classifying\norganization) who, in good faith, believe that its classification status is improper are\nencouraged and expected to challenge the classification status of information.\n\n\nFederal Government organizations that create or hold classified information are\nresponsible for its proper management. Classification management includes developing\nsecurity classification guides (SCGs) that an OCA uses to provide a set of instructions to\nderivative classifiers. These instructions identify elements of information on a specific\nsubject that must be classified and the classifications\xe2\x80\x99 level and duration for each\nelement.\n\n\nOne of the most effective ways to protect classified information is through the\napplication of standard classification markings or dissemination control markings.\nEffective program management also includes comprehensive mandatory training for\nclassifiers and a robust self-inspection program.\n\n2\n  Original classification is an initial determination that information requires, in the interest of\nnational security, protection against unauthorized disclosure.\n3\n  Derivative classification is incorporating, paraphrasing, restating, or generating in new form\ninformation that is already classified, and marking the newly-developed material consistent with\nthe classification markings that apply to the source information. It includes the classification of\ninformation based on classification guidance. The duplication or reproduction of existing\nclassified information is not derivative classification.\n\n\n\n                                     DODIG-2013-142 | 2\n\x0c                                                                                 Introduction\n\n\n\nFederal departments and agencies also may have systems of restrictive caveats that can\nbe added to a document in the form of dissemination control and handling markings.\nThese restrictions are not classifications in and of themselves; rather, they identify the\nexpansion or limitation on distributing the information. These markings are in addition\nto, and separate from, the level of classification. Only those external dissemination\ncontrol and handling markings approved by ISOO -- or approved by the Director of\nNational Intelligence (DNI) for intelligence and intelligence-related information--may be\nused by agencies to control and handle the dissemination of classified information\nunder agency regulations, policy directives, and guidelines which are issued under E.O.\n13526. Such approved markings must be uniform and binding on all agencies and must\nbe available in a central registry.\n\n\nTwo significant changes to the classification program under the issuing of E.O. 13526\ninvolve making classified information accessible, to the maximum extent possible, to\nauthorized holders.       If significant doubt exists about the appropriate level of\nclassification, information shall be classified at the lower level. Additionally, if significant\ndoubt exists about the need to classify information, it should not be classified.\n\nThe term \xe2\x80\x9cover-classification\xe2\x80\x9d is not defined in national policy. E.O. 13526 defines\n\xe2\x80\x9cclassification\xe2\x80\x9d and \xe2\x80\x9cdeclassification,\xe2\x80\x9d but not this term. During our evaluation and in\nthis report, we have used a working definition of \xe2\x80\x9cover-classification,\xe2\x80\x9d which ISOO\nsupplied: the designation of information as classified, when the information does not\nmeet one or more of the standards for classification under section 1.1 of E.O. 13526.\n\n\nScope and Methodology\nThis evaluation was conducted from October 2012 to September 2013, in accordance\nwith Quality Standards for Inspection and Evaluation that the Council of the Inspectors\nGeneral on Integrity and Efficiency issued. Those standards require that we plan and\nperform the evaluation to obtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on our evaluation objectives.\nTo accomplish our evaluation, we:\n\n\n        \xe2\x80\xa2   examined fundamental classification guidance review (FCGR) results;\n\n        \xe2\x80\xa2   examined self-inspection reporting results;\n\n        \xe2\x80\xa2   examined Standard Forms 311, \xe2\x80\x9cAgency Security Classification\n            Management Program Data\xe2\x80\x9d;\n\n\n\n                                      DODIG-2013-142 | 3\n\x0c                                                                             Introduction\n\n\n\n       \xe2\x80\xa2     reviewed relevant policies, regulations, and related studies;\n\n       \xe2\x80\xa2     reviewed 1,260 classified documents;\n\n       \xe2\x80\xa2     reviewed 342 SCGs;\n\n       \xe2\x80\xa2     conducted a survey of Defense Component security managers, and\n             original and derivative classifiers;\n\n       \xe2\x80\xa2     interviewed 21 original classification authorities and 129 derivative\n             classifiers;\n\n       \xe2\x80\xa2     interviewed key Department officials responsible for security training\n             and related policy development and implementation; and\n\n       \xe2\x80\xa2     interviewed officials responsible for the Department\xe2\x80\x99s information\n             security program.\n\nWe also used an evaluation guide that a working group of participating IGs, led by the\nOIG DoD, prepared for all IG offices participating in this government-wide effort on\nbehalf of the Council of the Inspectors General on Integrity and Efficiency.          The\nevaluation guide was intended to meet P.L. 111-258 requirements regarding the\nresponsibilities of each participating department and agency. The working group was\nformed to ensure consistency in the evaluative process, comparable reporting, and the\nability to compare results across agencies. The evaluation guide is on the website:\nwww.ignet.gov/CIGIE Reports and Periodicals/List by Year/2013/, \xe2\x80\x9cA Standard User\xe2\x80\x99s\nGuide for Inspectors General Conducting Evaluations under Public Law 111-258, the\nReducing Over-Classification Act.\xe2\x80\x9d\n\n\nAs the Act directs, we consulted with ISOO and coordinated throughout the evaluation\nwith other IG offices with the goal of ensuring that our evaluations followed a consistent\nmethodology to allow for cross-agency comparisons.\n\n\nThe evaluation focused on eight areas: General program management responsibilities;\nOCAs; original classification; derivative classification; self-inspections; reporting;\nsecurity education and training; and Intelligence Community (IC) cross-cutting issues.\n\n\nTo discern whether departmental policies and practices were consistent with E.O.\n13526 and 32 C.F.R., Part 2001, we used the following evaluation tools that ISOO\ndeveloped:\n\n\n\n                                    DODIG-2013-142 | 4\n\x0c                                                                             Introduction\n\n\n\n         \xe2\x80\xa2   an agency regulation implementing assessment tool;\n\n         \xe2\x80\xa2   methodology for determining whether an original classification decision\n             is appropriate;\n\n         \xe2\x80\xa2   original classification authority interview coverage;\n\n         \xe2\x80\xa2   methodology for determining the appropriateness of a derivative\n             classification decision; and\n\n         \xe2\x80\xa2   derivative classifier interview coverage.\n\nWe received results from evaluations by the Department of the Army, the Defense\nThreat Reduction Agency, and the Naval Audit Service, who used their own procedures\nto write findings and recommendations. The DoD OIG did not verify the information\nprovided.\n\nWe evaluated the information security programs of the following organizations:\n\n         \xe2\x80\xa2   Department of the Navy;\n\n         \xe2\x80\xa2   Department of the Air Force; and\n\n         \xe2\x80\xa2   Combatant Commands.\n\nWe evaluated these departments and entities because they represented organizations,\nas described in E.O. 13526, that would have information eligible for classification, the\nunauthorized disclosure of which could reasonably be expected to cause identifiable or\nexplainable damage to the national security.\n\nWe did not evaluate declassification issues because ISOO recently completed its five-year\non-site assessment of agency declassification programs. Details are in the 2012 Annual\nReport       to    the     President,       of    June   20,     2013,    and      is      at\nhttp://www.archives.gov/isoo/reports/.           This oversight and assistance program\ngarnered significant measureable improvements in the quality of declassification\nreviews that executive branch departments and agencies conducted. ISOO will continue\nits assessment program in a manner that sustains this high level of quality.\nAssessments focused on three areas of concern:            missed equities, inappropriate\nreferrals, and improper exemptions.\n\n\n\n\n                                   DODIG-2013-142 | 5\n\x0c\x0c                                                                                  Finding A\n\n\n\n\nGeneral Program Management\nIn a June 2006 evaluation of DoD\xe2\x80\x99s information security program, the Government\nAccountability Office (GAO) found that a lack of oversight and inconsistent\nimplementation of the DoD\xe2\x80\x99s information security program increased the risk of\nmisclassification.    Misclassifying national security information impedes effective\ninformation sharing, can provide adversaries with information to harm the United\nStates and its allies, and can cause the U.S. to incur millions of dollars in avoidable\nadministrative costs.      GAO identified weaknesses in the areas of classification\nmanagement training, self-inspections, and security classification guide management.\n\n\nSince August 2010, the Office of the Deputy Inspector General for Intelligence and\nSpecial Program Assessments, OIG, DoD, has conducted a series of assessments of\nSecurity within DoD, as follows: Tracking and Measuring Security Costs; Training,\nCertification and Professionalization; Security Policy; and the soon-to-be published\nClassification and Grading of Security Positions. We will continue to do oversight of\nDoD\xe2\x80\x99s security programs.         We will update the progress of security program\nmanagement in our 2016 report under P.L. 111-258.\n\n\nThis section will focus on the core issues related to managing the classified national\nsecurity information program.          General program management refers to the\nresponsibilities of departments and agencies carrying out the program under E.O.\n13526.       These responsibilities include the agency head demonstrating personal\ncommitment to the program, committing necessary resources to ensure its effective\nimplementation, and appointing a senior agency official (SAO) to direct and administer\nthe program. The SAO\xe2\x80\x99s responsibilities include:\n\n\n         \xe2\x80\xa2    overseeing the program established under E.O. 13526;\n\n         \xe2\x80\xa2    issuing implementing regulations;\n\n         \xe2\x80\xa2    establishing and maintaining an on-going self-inspection program;\n\n         \xe2\x80\xa2    ensuring that designating and managing classified information is\n              included as a critical rating element in the systems used to rate OCAs,\n              security managers or security specialists, and all other personnel whose\n              duties significantly involve creating or handling classified information,\n              including those who apply derivative classification markings;\n\n\n\n\n                                   DODIG-2013-142 | 7\n\x0c                                                                                 Finding A\n\n\n\n       \xe2\x80\xa2   establishing a secure capability to receive information, allegations, or\n           complaints regarding over-classification or incorrect classification\n           within the agency and to provide guidance as needed to personnel on\n           proper classification; and\n\n       \xe2\x80\xa2   establishing and maintaining security education and training programs.\n\nSecurity is a mission-critical function of DoD, and properly executed, has a direct impact\non all DoD missions and capabilities and on the national defense. We reviewed the\nclassification management program and the use of dissemination control markings to\nensure the following:\n\n\n       \xe2\x80\xa2   that necessary resources have been dedicated for effectively carrying out the\n           program;\n       \xe2\x80\xa2   that agency records systems are designed and maintained to optimize the\n           appropriate sharing and safeguarding of classified information; and\n       \xe2\x80\xa2   that an SAO has been designated to direct and administer the program.\n\n\nThe Under Secretary of Defense for Intelligence (USD(I)) is the Principal Staff Assistant\nand advisor to the Secretary and Deputy Secretary of Defense regarding security. In this\ncapacity, the USD(I) exercises the Secretary of Defense\xe2\x80\x99s authority, direction, and\ncontrol over the Defense Agencies and DoD Field Activities that are Defense security\nComponents and exercises planning, policy, and strategic oversight over all DoD\nsecurity policy, plans, and programs. The USD(I) serves as the DoD Senior Security\nOfficial under E.O. 13526, and advises the Secretary of Defense, the Secretaries of the\nMilitary Departments, the Chairman of the Joint Chiefs of Staff, and the Heads of other\nDoD Components on developing and integrating risk-managed security and protection\npolicies and programs, except for Nuclear Physical Security.\n\n\nThe USD(I) also develops, coordinates, and oversees carrying out DoD policy, programs,\nand   guidance    for   personnel,      physical,   industrial,   information,   operations,\nchemical/biological, and DoD Special Access Program security, as well as research,\ndevelopment, and acquisition protection.\n\n\nTo significantly enhance security program management and provide a governance\nmechanism to bring about a united approach to strategic oversight and advocacy of DoD\nsecurity capabilities, the USD(I) published DoD Directive 5200.43, \xe2\x80\x9cManagement of the\nDefense Security Enterprise,\xe2\x80\x9d which:\n\n\n\n\n                                 DODIG-2013-142 | 8\n\x0c                                                                                  Finding A\n\n\n\n\n   \xe2\x80\xa2    establishes policy and assigns responsibilities for managing the DSE;\n   \xe2\x80\xa2    establishes the DSE Executive Committee (DSE ExCom) and provides direction\n        for a comprehensive DSE policy and oversight framework and governance\n        structure to safeguard personnel, information, operations, resources,\n        technologies, and facilities against harm, loss, or hostile acts and influences;\n   \xe2\x80\xa2    deconflicts the DSE from other DoD security-related functions, such as force\n        protection, and provides for the alignment, synchronization, support, and\n        integration of those related security functions;\n   \xe2\x80\xa2    assigns responsibilities related to the DSE to the Defense Security Executive; and\n   \xe2\x80\xa2    provides a common lexicon for the DSE.\n\n\nSince the DSE\xe2\x80\x99s creation, the USD(I) has advanced enterprise management of security by\nchairing the DSE ExCom (the Deputy Under Secretary of Defense for Intelligence and\nSecurity serves as the chair), and the DSE Advisory Group (DSEAG -- the Director,\nSecurity Policy and Oversight Directorate, Office of the Deputy Under Secretary of\nDefense for Intelligence and Security [DUSD(I&S)] serves as the chair).\n\n\nThe DSE ExCom:\n\n    \xe2\x80\xa2   advises the USD(I), as the Defense Senior Security Official, on security policy\n        and training; provides recommendations on key policy decisions and\n        opportunities for standardization and improved effectiveness and efficiency;\n        and on carrying out cross-functional security policy coordination;\n\n\n    \xe2\x80\xa2   oversees carrying out the Defense security framework;\n\n\n    \xe2\x80\xa2   approves the strategic plan and monitors its execution;\n\n    \xe2\x80\xa2   commissions reviews and in-depth studies of security issues and, based on the\n        results, makes recommendations for developing or improving policies,\n        processes, procedures, and products to address pervasive, enduring, or\n        emerging security challenges;\n\n    \xe2\x80\xa2   reviews resource investments and priorities and recommends changes to the\n        Defense security program to the USD(I), through the Defense Security\n        Executive;\n\n\n\n\n                                   DODIG-2013-142 | 9\n\x0c                                                                                Finding A\n\n\n\n    \xe2\x80\xa2   assists with developing a Defense security framework that integrates, across all\n        security levels, personnel, physical, industrial, information, and operations\n        security, as well as special access program security policy and critical program\n        information protection policy.      This framework must align with, and be\n        informed by, other DoD security and security-related functions (e.g.,\n        counterintelligence, information assurance, nuclear physical security, chemical\n        and biological agent security, foreign disclosure, security cooperation,\n        technology transfer, export control, cyber security, anti-terrorism, force\n        protection, mission assurance, critical infrastructure, and insider threat policy);\n\n\n    \xe2\x80\xa2   provides a forum for identifying, documenting, and disseminating best\n        practices, including those associated with security risk management; and\n\n\n    \xe2\x80\xa2   identifies performance measures to be used to assess the effectiveness of the\n        Defense security program and its contribution to mission success.\n\n\nTo focus on the most challenging enterprise security issues, the DSEAG charters project\nteams, on an as needed basis, to develop solutions to some of the most pressing DSE\npriorities. A few key initiatives being addressed by current project teams include\nreforming the personnel security investigation process, quantifying security-related\ncosts across the Department, developing an enterprise-wide risk methodology,\nestablishing a Defense Security Enterprise Architecture, improving continuous\nevaluation capabilities, and professionalizing the security workforce.\n\n\nThe Security Policy and Oversight Directorate has also established the Defense Security\nOversight and Assessment Program (DSOAP) to address an Office of the USD(I)\n(OUSD(I)) strategic priority to put into operation Defense security policies and\ntransform the security community.        The program is a collaborative engagement\ndesigned to assess the effectiveness of security policies in the operational environment.\nOversight visits enable OUSD(I) to:\n\n    \xe2\x80\xa2   identify best practices and lessons learned for trend analysis and program\n        improvement;\n\n    \xe2\x80\xa2   develop and issue security policies that are current, operationally relevant,\n        adaptable, and informed by an assessment of risk;\n\n\n\n\n                                 DODIG-2013-142 | 10\n\x0c                                                                                  Finding A\n\n\n\n    \xe2\x80\xa2   execute an effective outreach and oversight program to improve security policy\n        and inform the DSE strategic direction;\n\n    \xe2\x80\xa2   identify and champion security best practices and enterprise capabilities; and\n\n    \xe2\x80\xa2   capture Component issues with DoD security policy in order to improve policy\n        (gaps, conflicts, lack of clarity).\n\nAs part of its strategic framework, the DSE has developed three key goals to aid in\nmaking better risk-based mitigation decisions regarding threats and security\nvulnerabilities related to all DoD assets across the DSE, as follows:\n\n\n    \xe2\x80\xa2   standardize security functions across DoD to achieve synergistic execution and\n        enhance operations;\n    \xe2\x80\xa2   allocate security resources to demonstrate a return on investment; and\n    \xe2\x80\xa2   improve individual performance to develop a cadre of highly-skilled security\n        professionals\n\n\nFrom a program management perspective, the DSE can begin to effectively address\nmany of its challenging security issues by collaborating with DoD senior leaders and\nsecurity subject matter experts, and through DSE members. These members are:\n\n\n    \xe2\x80\xa2   the DoD Component security program executives designated by the Secretaries\n        of the Military Departments and the Chairman of the Joint Chiefs of Staff;\n    \xe2\x80\xa2   representatives of the Under Secretaries of Defense for:\n            o   (Comptroller)/Chief Financial Officer;\n            o   Acquisition, Technology, and Logistics;\n            o   Policy; and\n            o   Personnel and Readiness;\n    \xe2\x80\xa2   the DoD Chief Information Officer;\n    \xe2\x80\xa2   the Director of Administration and Management;\n    \xe2\x80\xa2   the DoD General Counsel;\n    \xe2\x80\xa2   the Director, DoD Special Access Program Central Office; and\n    \xe2\x80\xa2   the Director, Counterintelligence Directorate, Office of the DUSD(I&S).\n\n\n\n\n                                   DODIG-2013-142 | 11\n\x0c                                                                               Finding A\n\n\n\n\nEffectiveness of Classification Management Policies\nand Control Marking Guidelines\nStandardized classification and control markings are the primary means by which the IC\nprotects intelligence sources, methods, and activities. Properly applying and using\nthese markings promotes information sharing while allowing the information to be\nproperly safeguarded from inadvertent or unauthorized disclosure.           Agencies are\nrequired to issue regulations to carry out their classified national security information\nprograms in accordance with E.O. 13526 and 32 C.F.R. Part 2001.\n\nWe used an \xe2\x80\x9cAgency Regulation Implementing Assessment Tool,\xe2\x80\x9d which ISOO provided.\nThe tool focuses on eight key areas for determining if applicable classification policies,\nprocedures, rules, and regulations have been adopted in accordance with E.O. 13526\nand 32 C.F.R. Part 2001. On April 2, 2013, the USD(I) published DoD Manual 5200.45,\n\xe2\x80\x9cInstructions for Developing Security Classification Guides,\xe2\x80\x9d and on February 24, 2012,\nthe USD(I) published DoD Manuals 5200.01, in four volumes:\n\n\n   \xe2\x80\xa2   Volume 1 -- DoD Information Security Program: Overview, Classification, and\n       Declassification;\n   \xe2\x80\xa2   Volume 2 -- DoD Information Security Program: Marking of Classified\n       Information;\n   \xe2\x80\xa2   Volume 3 -- DoD Information Security Program: Protection of Classified\n       Information; and\n   \xe2\x80\xa2   Volume 4 -- DoD Information Security Program: Controlled Unclassified\n       Information (CUI)\n\n\nWe mapped these issuances to E.O. 13526 and 32 C.F.R., Part 2001. As a result, we\nfound that policies were adopted at the Office of the Secretary of Defense-level. We\nsubsequently provided the regulation assessment tool to component-level IGs to map\nOffice of the Secretary of Defense-level issuances to the agency-level policy issuances.\nWe found that most agency policies had not yet been updated to reflect the guidance\nprovided in the four volumes of DoD Manuals 5200.01.\n\n\nDoD Manual 5200.01, Volume 2, \xe2\x80\x9cMarking of Classified Information,\xe2\x80\x9d February 24, 2012,\nAppendix 2 to Enclosure 4, discusses dissemination control markings for intelligence\ninformation.\n\n\n\n\n                                 DODIG-2013-142 | 12\n\x0c                                                                                Finding A\n\n\n\nIntelligence Community Directive (ICD) 710, \xe2\x80\x9cClassification Management and Control\nMarkings System,\xe2\x80\x9d June 21, 2013, governs the carrying out and oversight of the IC\nclassification management and control markings system, which provides the framework\nfor accessing, classifying, disseminating, and declassifying intelligence and intelligence-\nrelated information to protect sources, methods, and activities. The IC markings system\nis implemented and maintained through the Controlled Access Program Coordination\nOffice (CAPCO) Register and Manual.\n\nICD 710 applies to the IC and to such elements of any other department or agency, as\nmay be designated an element of the IC by the President or jointly by the DNI and the\nhead of the department or agency concerned. ICD 710 applies, under EO 13526, Section\n6.2(b), to the handling of intelligence and intelligence-related information and, under\nEO 13556, \xe2\x80\x9cControlled Unclassified Information,\xe2\x80\x9d November 4, 2010, Section 6(b), to the\nhandling of unclassified intelligence or intelligence-related information that requires\nsafeguarding through dissemination controls. Also see Appendix A, Observation D.\n\n\nPerformance Evaluations\nE.O. 13526 requires that the performance contract or other system used to rate civilian\nor military personnel performance includes the designating and managing of classified\ninformation as a critical element or item to be evaluated in the rating of OCAs, security\nprofessionals, or other personnel whose duties significantly involve handling classified\ninformation, including derivative classifiers.\n\n\nDating to at least 1997, DoD has required that the performance appraisal contain a\ncritical element. This policy (previously stated in DoD 5200.1-R, \xe2\x80\x9cInformation Security\nProgram,\xe2\x80\x9d paragraph C1.1.2.1., and now rescinded) stated: \xe2\x80\x9cManagement of classified\ninformation shall be included as a critical element or item to be evaluated in the rating\nof original classification authorities, security managers or specialists, and other\npersonnel whose duties primarily involve the creation or handling of classified\ninformation,\xe2\x80\x9d and is now found in DoD Manual 5200.01, Volume 1, Enclosure 2,\nparagraph 7h. We found that carrying out this requirement ranged from organizations\nnot having the critical element in their appraisals, to organizations that have maintained\nthis language since the original requirement.\n\n\nOn June 12, 2013, the USD(I) published a memorandum, \xe2\x80\x9cPerformance Appraisal Critical\nElement for the Protection of Classified Information,\xe2\x80\x9d directing that as part of the\nSecretary of Defense\xe2\x80\x99s \xe2\x80\x9ctop down\xe2\x80\x9d approach outlined in his October 18, 2012,\nmemorandum, \xe2\x80\x9cDeterring and Preventing Unauthorized Disclosures of Classified\n\n\n\n                                  DODIG-2013-142 | 13\n\x0c                                                                              Finding A\n\n\n\nInformation,\xe2\x80\x9d DoD Components integrate the requirements into their performance\nevaluation system. It also directs that Components give the Director, Security Policy and\nOversight Directorate, Office of the DUSD(I&S), an estimated date, no later than\nSeptember 30, 2013, for Component implementation. This requirement also includes\ninformation system security personnel, if their duties involve access to classified\ninformation and information system personnel (e.g., system administrators) with\nprivileged access to classified systems or network resources.\n\n\nOnce implementation plans are received, we will monitor the carrying out of the\nperformance appraisal critical element tasking for protecting classified information and\nreport the results in our 2016 report under P.L. 111-258.\n\n\nClassification Challenges\nAuthorized holders of information who, in good faith, believe that the information\xe2\x80\x99s\nclassification status is improper are encouraged and expected to challenge the\ninformation\xe2\x80\x99s classification status. An agency head or senior agency official should\nestablish procedures under which authorized holders of information, including\nauthorized holders outside the classifying agency, are encouraged and expected to\nchallenge the classification of information that they believe is improperly classified or\nunclassified. These procedures should ensure that: Individuals are not subject to\nretribution for bringing such actions; an opportunity is provided for review by an\nimpartial official or panel; and individuals are advised of their right to appeal agency\ndecisions to the Interagency Security Classification Appeals Panel.\n\nDoD Manual 5200.01 -- Volume 1, \xe2\x80\x9cDoD Information Security Program: Overview,\nClassification, and Declassification,\xe2\x80\x9d February 24, 2012, Enclosure 4, Section 6, states:\n\xe2\x80\x9cIf holders of information have substantial reason to believe that the information is\nimproperly or unnecessarily classified, they shall communicate that belief to their\nsecurity manager or the OCA to bring about any necessary correction. This may be done\ninformally or by submitting a formal challenge to the classification.\xe2\x80\x9d\n\n\nDuring our interviews, few instances were encountered where interviewees challenged\na classification, and in those instances where challenges were made, interviewees said\nthey were satisfied with how the challenge was resolved.          Interviewees said that\ntraining successfully addressed classification challenges.\n\n\n\n\n                                 DODIG-2013-142 | 14\n\x0c                                                                                Finding A\n\n\n\nOur office examined 254 SCGs available online, which revealed that only 37.5 percent of\nSCGs included guidance for individuals who want to challenge or question the level of\nclassified information. Such guidance is consistent with Section 1.8 of E.O. 13526 which\nstates that \xe2\x80\x9cauthorized holders of information who, in good faith, believe that its\nclassification status is improper are encouraged and expected to challenge the\nclassification status of the information.\xe2\x80\x9d    SCGs that include classification challenge\nguidance allow for a transparent process that provides derivative classifiers with the\nmeans to question the classification of potentially improperly classified information.\n\nSuch guidance also provides derivative classifiers with the assurance that the challenge\nprocess is supported. Current guidance for classification challenges as set forth in DoD\nManual 5200.45, \xe2\x80\x9cInstructions for Developing Security Classification Guides,\xe2\x80\x9d April 2,\n2013, reads as follows: \xe2\x80\x9cClassification Challenges.\n\nIf at any time, any of the security classification guidance contained herein is challenged,\nthe items of information involved shall continue to be protected at the level prescribed\nby this guide until such time as a final decision is made on the challenge by appropriate\nauthority. Classification challenges should be addressed to the OPR [office of primary\nresponsibility].\xe2\x80\x9d\n\nWhile this provides for classification challenges, it does not reflect the intent of E.O.\n13526 which states that such challenges are \xe2\x80\x9cencouraged.\xe2\x80\x9d Moreover, the paragraph\ndoes not provide derivative classifiers with the appropriate citations to help in the\nchallenge process.\n\n\nIncentives for Accurate Classification\nPublic Law 111-258, Section 6(a) states that \xe2\x80\x9cIn making cash awards under chapter 45\nof title 5, United States Code, the President or the head of an Executive agency with an\nofficer or employee who is authorized to make original classification decisions or\nderivative classification decisions may consider such officer\xe2\x80\x99s or employee\xe2\x80\x99s consistent\nand proper classification of information.\xe2\x80\x9d\n\nWe did not find information related to incentives for accurate classification in the\npolicies we reviewed, nor did we find any instances where organizations provided\nincentives for accurate classification, whether cash or otherwise.\n\n\n\n\n                                 DODIG-2013-142 | 15\n\x0c                                                                                   Finding A\n\n\n\n\nSanctions\nE.O. 13526 provides that officers and employees of the U.S. Government, and its\ncontractors, licensees, certificate holders, and grantees shall be subject to appropriate\nsanctions if they knowingly, willfully, or negligently disclose to unauthorized persons\ninformation properly classified under E.O. 13526 or predecessor orders; classify or\ncontinue classifying information in violation of this order or any implementing\ndirective; create or continue a special access program contrary to this order\xe2\x80\x99s\nrequirements; or contravene any other provision of this order or its implementing\ndirectives.   Sanctions may include reprimand, suspension without pay, removal,\ntermination of classification authority, loss or denial of access to classified information,\nor other sanctions in accordance with applicable law and agency regulation.\n\n\nIf the ISOO Director finds a violation of the order, the Director shall file a report with the\nagency head or to the SAO so that corrective steps, if appropriate, may be taken. We\nfound that policy covered sanctions, and OCAs and derivative classifiers were aware of\npossible sanctions. Our interviewees did not provide any instances where a sanction\nhad been imposed.\n\n\nThe agency head, SAO, or other supervisory official shall, at a minimum, promptly\nremove the classification authority of any individual who demonstrates reckless\ndisregard or a pattern of error in applying E.O. 13526 classification standards. The\nagency head or SAO shall take appropriate and prompt corrective action and notify the\nISOO Director when certain violations occur.\n\n\nDoD Manual 5200.01 -- Volume 1, \xe2\x80\x9cDoD Information Security Program: Overview,\nClassification, and Declassification,\xe2\x80\x9d February 24, 2012, Enclosure 3, Section 17, states:\nDoD military and civilian personnel may be subject to criminal or administrative\nsanctions if they knowingly, willfully, or negligently:\n\n    \xe2\x80\xa2   disclose to unauthorized persons information properly classified;\n\n    \xe2\x80\xa2   classify or continue the classification of information;\n\n    \xe2\x80\xa2   create or continue a special access program contrary to the requirements of DoD\n        Directive 5205.07, \xe2\x80\x9cSpecial Access Program (SAP) Policy,\xe2\x80\x9d July 1, 2010;\n\n    \xe2\x80\xa2   disclose controlled unclassified information to unauthorized persons; or\n\n    \xe2\x80\xa2   violate any other provision of the Manual.\n\n\n\n                                  DODIG-2013-142 | 16\n\x0c                                                                                Finding A\n\n\n\nSanctions include, but are not limited to: warning, reprimand, suspension without pay,\nforfeiture of pay, removal, discharge, loss, or denial of access to classified information\nand/or CUI, and removal of classification authority. Criminal prosecution may also be\nundertaken in accordance with sections 801-940 of title 10, U.S.C. (also known as \xe2\x80\x9cThe\nUniform Code of Military Justice\xe2\x80\x9d) and other applicable U.S. criminal laws.\n\nIf an individual is delegated to have OCA demonstrates reckless disregard or a pattern of\nerror in applying classification standards, the appropriate official shall, as a minimum,\nremove the offending individual\xe2\x80\x99s OCA.\n\n\nConclusion\nWe found that while security program management needs improvement, DoD has made\nsignificant progress in this area. Since August 2010, the Office of the Deputy Inspector\nGeneral for Intelligence and Special Program Assessments, OIG, DoD, has conducted a\nseries of assessments of Security within DoD, as follows: Tracking and Measuring\nSecurity Costs; Training, Certification and Professionalization; Security Policy; and the\nsoon-to-be published Classification and Grading of Security Positions. We will continue\nto do oversight of DoD\xe2\x80\x99s security programs. We will update the progress of security\nprogram management in our 2016 report under P.L. 111-258.\n\n\nWe mapped DoD issuances to E.O. 13526 and 32 C.F.R., Part 2001, and, as a result, found\nthat policies were adopted at the Office of the Secretary of Defense-level, but had not yet\nbeen adopted at the agency level. While some organizations had a critical element on\nsecurity in their performance evaluations, the USD(I) directed that Components\nprovide, no later than September 30, 2013, an estimated date for implementation for all\nDoD Components \xe2\x80\x93- we will monitor and report on this implementation\xe2\x80\x99s progress in\nour 2016 report under P.L. 111-258.\n\n\nWe found few instances where interviewees challenged a classification, and in those\ninstances where challenges were made, interviewees said they were satisfied with how\nthe challenge was resolved. Interviewees said that their training successfully addressed\nclassification challenges.   We found that policy covered sanctions and OCAs and\nderivative classifiers were aware of possible sanctions. We did not find any situation\nwhere a sanction had been imposed. We also found no incentives existed for accurate\nclassification either in policy or organizational programs.\n\n\n\n\n                                 DODIG-2013-142 | 17\n\x0c                                                                                   Finding A\n\n\n\nTo significantly enhance security program management and provide a governance\nmechanism to bring about an enterprise approach to strategic oversight and advocacy\nof DoD security capabilities, the USD(I) published, on October 21, 2012, DoD Directive\n5200.43, \xe2\x80\x9cManagement of the Defense Security Enterprise,\xe2\x80\x9d creating, for the first time, a\nDSE and attendant strategic framework to address security issues. The USD(I) has also\ncreated the DSE ExCom and the DSEAG to provide senior-level guidance, involvement,\norganization, and focus to critical security issues.\n\n\nRecommendations, Management Comments, and\nOur Response\nA. We recommend that the Under Secretary of Defense for Intelligence:\n\n\n        1. Provide the implementation status of DoD Component actions to include a\n            critical element on security in the Component\xe2\x80\x99s performance evaluations.\n\n\n        2. Revise policy to incorporate template language for security classification\n            guides that is consistent with the intent of E.O. 13526, as follows:\n\n\n                a. Section 5.3 of Executive Order 13526 and Enclosure 4, paragraph 22\n                    of DoD Manual 5200.01, Volume 1, \xe2\x80\x9cDoD Information Security\n                    Program: Overview, Classification, and Declassification,\xe2\x80\x9d February\n                    24, 2012, contain guidance for individuals who wish to challenge\n                    information that they believe has been improperly or unnecessarily\n                    classified.\n\n                b. Such challenges are encouraged and expected and should be\n                    forwarded through the appropriate channels to the office of primary\n                    responsibility.\n\n                c. Pending final decision, handle and protect the information at its\n                    current classification level or at the recommended change level,\n                    whichever is higher.\n\n                d. Challenges     should    include    sufficient   description    to   permit\n                    identification of the specific information under challenge with\n                    reasonable effort.\n\n\n\n\n                                  DODIG-2013-142 | 18\n\x0c                                                                           Finding A\n\n\n\n              e. Challenges should include detailed justification outlining why the\n                  information is improperly or unnecessarily classified.\n\n\nUnder Secretary of Defense for Intelligence Comments\nThe Under Secretary of Defense for Intelligence concurred with our recommendations.\n\n\nOur Response\nThe Under Secretary of Defense for Intelligence concurred with our recommendations;\nhowever, management did not provide information to identify what actions will be\ntaken and the date on which recommendations will be completed. Therefore, we\nrequest additional comments by October 30, 2013.\n\n\n\n\n                               DODIG-2013-142 | 19\n\x0c\x0c                                                                                Finding B\n\n\n\nThe responsible OCA shall issue security classification guidance for each system, plan,\nprogram, project, or mission involving classified information. Classification guidance\nmay be in the form of a memorandum, plan, order, or letter, or issuance of a security\nclassification or declassification guide.\n\nOCAs shall develop, as appropriate, automatic and systematic declassification guidance\nfor use in review of records that are of permanent historical value and 25 years old or\nolder.     This guidance shall be published in the appropriate classification or\ndeclassification guide.\n\nWhere classification guidance is issued in the form of an SCG, the OCA shall ensure the\nguide is reviewed and updated.\n\nAs a general rule, classification authority must be exercised an average of twice a year to\nqualify for retention of the OCA designation if an OCA does not issue and maintain an\nSCG.\n\n\nDesignation of Original Classification Authority,\nProgram Knowledge, and Training\nOCAs, also called original classifiers, include the President, Vice President, Secretary of\nDefense, the Secretaries of the Military Departments, and other DoD officials who have\nbeen specifically delegated this authority in writing. When OCA is granted, OCAs are\ndelegated classification authority specific to a level of classification and cumulative\ndownwards. For example, an OCA appointed with Top Secret classification authority\nmay classify information at the Top Secret, Secret, and Confidential levels. An OCA\nappointed with Confidential classification authority may only classify information at the\nConfidential level.\n\nOCAs may only classify information that is under their area of responsibility, such as a\nspecific project, program, or type of operation. For example, it would be inappropriate\nfor an air wing commander to classify information about a Navy undersea warfare\nprogram.\n\nWe determined that OCAs were properly designated. We conducted interviews of OCAs\nto evaluate their knowledge of classification management procedures. The interviews\nwere intended to help gauge if these individuals\xe2\x80\x99 job position required having OCA and if\nthe individuals have expert knowledge of the information and classification\nrequirements to ensure that information is not over-classified.\n\n\n\n\n                                   DODIG-2013-142 | 21\n\x0c                                                                                Finding B\n\n\n\nWe found that OCAs had received the required training and had satisfactory knowledge\nof classification principles and procedures.\n\n\nMost OCAs interviewed had made few, if any, original classification decisions; had not\nbeen confronted with classification challenges -- either as one who made such a\nchallenge or as an OCA who might have to respond to such a challenge; had sparingly\nused classification guides; or created classification guides/guidance. As a general rule,\nclassification authority must be exercised an average of twice a year to qualify for\nretention of the OCA designation if an OCA does not issue and maintain an SCG.\n\n\nConclusion\nWe found that OCAs were properly designated, knowledgeable of classification\nrequirements to ensure that information is not over-classified, and received the\nrequired training. We also found that most of the OCAs interviewed had made few, if\nany, original classification decisions or been confronted with classification challenges to\nclassification decisions.\n\n\nRecommendation, Management Comments, and Our\nResponse\nB.   We recommend that the Under Secretary of Defense for Intelligence direct\nComponent reviews of OCA positions to ensure that the position is needed.\n\n\nUnder Secretary of Defense for Intelligence Comments\nThe Under Secretary of Defense for Intelligence concurred with our recommendations.\n\n\nOur Response\nThe Under Secretary of Defense for Intelligence concurred with our recommendation;\nhowever, management did not provide information to identify what actions will be\ntaken and the date on which recommendations will be completed. Therefore, we\nrequest additional comments by October 30, 2013.\n\n\n\n\n                                 DODIG-2013-142 | 22\n\x0c\x0c                                                                               Finding C\n\n\n\nIn a June 2006 report, GAO stated that DoD\xe2\x80\x99s estimate of how many original and\nderivative classification decisions it makes annually is unreliable because those\ndecisions are based on data from the DoD components that were derived using different\nassumptions about what should be included and about data collection and estimating\ntechniques.\n\nNevertheless, this estimate is reported to the President and to the public. If the\nprocesses for collecting and manipulating data are properly implemented, data\nreliability could be improved, but only if the processes address the underlying lack of\nuniformity in how the individual DoD components are collecting and manipulating their\ndata to arrive at their estimates.\n\nWe found the same lack of uniformity with respect to the collection of SF 311 data\nthroughout DoD. However, DoD and other federal government agencies that use SF 311\nhave been working with ISOO to make this form more relevant.\n\n\nEach fiscal year, DoD Components are required to submit a consolidated SF 311 report\nconcerning their Information Security Classification Management Program. The SF 311\nreport should include a total number of classification decisions regardless of media --\nelectronic presentations, email, official correspondence or memoranda, photographs,\nreports and/or intelligence products, web pages, and wiki articles and blog articles.\n\n\nPreviously, ISOO asked agencies to report only the number of classified \xe2\x80\x9cfinished\nproducts,\xe2\x80\x9d a term which originated in the paper-based era and was often not easily\napplied in the electronic environment. However, because of the increasing use of the\nelectronic environment to share and disseminate information, we need to consider\nmore than just the \xe2\x80\x9cfinished product\xe2\x80\x9d concept and instead count all classification\ndecisions, regardless of the type of media. It was further requested that each reporting\nagency adjust its counting or sampling methodology to include such web applications as\nemail, wikis, and blogs.\n\n\nISOO initiated discussions with agency representatives to explore reforms of the SF 311\nreporting process. The consensus from these discussions focused on the need for a\nproposal to change the reporting requirements in Part E, \xe2\x80\x9cMandatory Declassification\nReview Requests and Appeals.\xe2\x80\x9d That section of the SF 311 was updated, and ISOO\nremains open for further discussion on improving the form.\n\n\n\n\n                                 DODIG-2013-142 | 24\n\x0c                                                                                Finding C\n\n\n\n\nAccounting for Costs\nAn FY 2012 ISOO cost report found that combined costs for Government and industry\nsecurity classification activities amounted to $10.96 billion. This is a decrease from FY\n2011 of $1.66 billion, or 13 percent. ISOO reports annually to the President on the\nestimated costs associated with agencies\xe2\x80\x99 implementation of E.O. 13526, and E.O. 12829,\nas amended, \xe2\x80\x9cNational Industrial Security Program.\xe2\x80\x9d\n\nISOO relies on the agencies to estimate and report the costs of the security classification\nsystem. Even if reporting agencies had no security classification activity, many of their\nreported expenditures would continue in order to address other, overlapping security\nrequirements, such as work force, facility and information systems protection, mission\nassurance operations, and similar needs.\n\n\nDoD Directive 5200.43 and the DSE Strategic Plan require quantifying security costs.\nThe DSE has created a framework for collecting security costs. The intent is to quantify\nthe cost of security resources regardless of whether they are funded via security or non-\nsecurity budgets or whether they support security, in part or in total.\n\n\nFundamental Classification Guidance Review (FCGR)\nResults:\nIn June 2006, GAO found that some of the DoD components and subordinate commands\nthat were examined routinely did not submit copies to a central library, as required, of\ntheir SCGs, and documentation that identifies which information needs protection and\nthe reason for classification. Also, some did not track their classification guides to\nensure they were reviewed at least every five years for currency, as required. DoD\npersonnel cannot be assured that they are using the most current information to\nderivatively classify documents. DoD is studying ways to improve its current approach\nto making security classification guides readily available, Department-wide.\n\n\nWe found that all SCGs were on the DTIC website, with the exception of SCGs marked\nsensitive or classified.\n\n\nOn April 2, 2013, USD(I) published DoD Manual 5200.45, \xe2\x80\x9cInstructions for Developing\nSecurity Classification Guides,\xe2\x80\x9d which requires OCAs to:\n\n\n\n\n                                 DODIG-2013-142 | 25\n\x0c                                                                               Finding C\n\n\n\n   \xe2\x80\xa2   issue and disseminate security classification guidance for each system, plan,\n       program, project, or mission involving classified information under their\n       jurisdiction;\n\n   \xe2\x80\xa2   review security classification guidance issued under their authority once every\n       five years to ensure currency and accuracy or sooner when necessitated by\n       significant changes in policy or in the system, plan, program, project, or mission;\n       and to update the guides as required;\n\n   \xe2\x80\xa2   revise, whenever necessary for effective derivative classification, SCGs issued\n       under their authority;\n\n   \xe2\x80\xa2   provide copies of any security classification guides issued under their authority,\n       as required by DoD Manual 5200.01, Volume 1, Enclosure 6;\n\n   \xe2\x80\xa2   cancel security classification guides when all information the guide specified as\n       classified has been declassified, or when a new classification guide incorporates\n       the classified information covered by the old guide and no reasonable likelihood\n       exists that any information not incorporated by the new guide shall be the\n       subject of derivative classification; and\n\n   \xe2\x80\xa2   coordinate with the Department of Energy, Office of Classification, through the\n       Deputy Assistant Secretary of Defense for Nuclear Matters, whenever OCAs\n       develop or revise SCGs with Restricted Data (RD) or Formerly Restricted Data\n       (FRD) information.\n\nAgencies completed the first executive branch-wide FCGR in FY 2012, a major\ninvestment in combating over-classification and limiting secrecy to only that\ninformation absolutely necessary to protect the national security. Twenty-five agencies\nwith original classification authority conducted comprehensive reviews of their\nclassification guidance, streamlining, and consolidating of 3,103 classification guides to\nreflect current circumstances.\n\n\nAs of June 27, 2012, DoD initiated a FCGR on 2,070 SCGs, retiring/cancelling 413 FCGRs,\nand reporting 1,657 FCGRs as active/current. The DoD FCGR program is a high-interest\nitem for the DSEAG.\n\n\n\n\n                                 DODIG-2013-142 | 26\n\x0c                                                                               Finding C\n\n\n\nWith respect to ODNI guidance to the IC, the Defense Intelligence Agency, Geospatial-\nIntelligence Agency, National Security Agency, and National Reconnaissance Office\nreported their FCGR execution status directly to ISOO, with a copy provided to the\nUSD(I).\n\n\nThese reviews\xe2\x80\x99 purpose was to ensure that guidance reflects current circumstances\nregarding what information warrants continued classification. Additionally, the reviews\nidentified information that no longer requires classification and can be expedited for\ndeclassification.   The reviews helped agencies ensure proper classification of\ninformation vital to national security, while avoiding over-classification and\nunnecessary classification of records.\n\n\nE.O. 13526 directed that the FCGR program be initiated. The order required all federal\nagencies with significant classification programs to review their classification guidance,\nand then provide summaries of their reviews to the ISOO Director by July 2012. DoD\ncompleted its review within the specified timeframe and submitted its information to\nISOO. The final report detailed the status of FCGR activities from 2011-2012 and results\nachieved to date.\n\n\nE.O. 13526 also required that these comprehensive reviews of an agency\xe2\x80\x99s classification\nguidance, particularly classification guides, continue periodically to ensure that\nguidance reflected current circumstances and to identify classified information that no\nlonger required protection and could be declassified. The next review is scheduled to be\ncompleted in 2017 and every five years thereafter.\n\n\nThe OUSD(I) administered the review of SCGs throughout DoD.             The goal was to\ncentralize SCGs in a repository to ensure the accessibility of guidance to DoD\ncomponents, and in accordance with E.O. 13526, to update guidance to eliminate\nredundancies and inaccuracies.\n\n\n\n\n                                 DODIG-2013-142 | 27\n\x0c                                                                                      Finding C\n\n\n\nAs a result of these efforts, 97 percent of DoD\xe2\x80\x99s SCGs were updated and/or declared\ncurrent, and 20 percent of DoD\xe2\x80\x99s non-compartmented 4 SCGs were eliminated. The\noverarching efforts are reflected below.\n\n\n\n                      DOD COMPONENT-BY-COMPONENT FINAL REPORT\n                     FUNDAMENTAL CLASSIFICATION GUIDANCE REVIEW\n\n\n\n\nWe conducted an independent review of SCGs to ensure that accessible information was\nboth current and appropriately classified.         To that end, SCGs were pulled from a\ncentralized repository at the Defense Technical Information Center (DTIC), which\nserves the DoD community as the largest central resource for DoD and government-\nfunded information related to science, technology, engineering, and business. DoD\nManual 5200.01, Volume 1, \xe2\x80\x9cDoD Information Security Program: Overview,\nClassification, and Declassification,\xe2\x80\x9d February 24, 2012, directs organizations to provide\na copy of approved SCGs to the Administrator, DTIC, which, in turn, makes the SCGs\naccessible online to DoD elements.\n\n\n\n\n4\n A term-of-art concerning information that is not derived from intelligence sources, methods, or\nanalytical processes that requires special handling.\n\n\n\n                                    DODIG-2013-142 | 28\n\x0c                                                                                Finding C\n\n\n\n\nDTIC lists 1,822 active SCGs, and of that number, only 1,138 SCGs were linked to\ndocuments we were able to review. To ensure consistency with the FCGR, we reviewed\nSCGs from the Army, Navy, Air Force, Joint Staff, Defense Advanced Research Projects\nAgency, Defense Threat Reduction Agency, and the Missile Defense Agency. Based on\nthe numbers reflected in the FCGR report, the statistically-supportable stratified sample\nsizes were determined for SCGs from the respective organizations. The following chart\nreflects the applied methodology.\n\nOptimum Sample Size for Proportions\n      Confidence Level        90%\n      Precision (ME) 5%\n      z-value                 1.645\n\nOrganization      Stratum       Error Rate   w.sqrt(pq)   wpq     est. sample    min n    Sample size\n                    Size                                              size\nArmy                345             0.2         0.08      0.03       33.07         30         34\nNavy                740             0.2         0.18      0.07       70.93         30         71\nAir Force           262             0.2         0.06      0.03       25.11         30         30\nDARPA               134             0.2         0.03      0.01       12.84         30         30\nMDA                 29              0.2         0.01      0.00        2.78         30         29\nJoint Staff         86              0.2         0.02      0.01        8.24         30         30\nDTRA                42              0.2         0.01      0.00        4.03         30         30\n    Total          1,638                        .40        .16                               254\n\nest. sample              156.6 157\ntot sample size          254\nReference:               Cochran, Wm. G. Sampling Techniques, 3rd Ed. 1977 pp. 108-110\n\nThe recommended sample size for some organizations exceeded the number of SCGs\navailable for review. In addition, as noted above, some SCGS were not accessible\nthrough the unclassified DTIC site. However, our office did review a total of 254 SCGs.\n\n\nThe review revealed some problems with the guides, which are available on the DTIC\nwebsite. Guidance from as early as 1997 (Information Security Program, January 1997,\nthe Assistant Secretary of Defense for Command, Control, Communications, and\nIntelligence) required organizations to submit DD Form 2024s, \xe2\x80\x9cDoD Security\nClassification Guide Data Elements,\xe2\x80\x9d with their approved SCGs. The form allows for\ngreater transparency in determining offices of primary responsibility and OCAs for\nassociated SCGs. Of the 254 SCGs reviewed, less than 44 percent contained this form.\n\n\n\n\n                                  DODIG-2013-142 | 29\n\x0c                                                                                      Finding C\n\n\n\n\nMoreover, 55 percent of the documents reviewed still reference E.O. 12958, which was\nsuperseded by E.O. 13526 which was signed on December 29, 2009, as the basis for\nclassification, regrading, 5 or declassification of information, and 4.7 percent contained\ndeclassification dates that had already occurred. DoD completed its FCGR in July 2012\nand, as noted previously, E.O. 13526 was signed almost three years earlier. As the\ncentral repository for unclassified SCGs, the information contained with the DTIC should\nreflect the most up-to-date guidance for all DoD elements.\n\n\nConclusion\nWe found that DoD\xe2\x80\x99s annual estimates of original and derivative classification decisions\nis unreliable because those decisions are based on data from DoD components that were\nderived using different assumptions about what should be included and about data\ncollection and estimating techniques. Although SCGs are now on the DTIC website,\nmore effective management of the SCGs is needed to ensure their accuracy and OCA\ninvolvement.\n\n\nRecommendations, Management Comments, and\nOur Response\nC. We recommend that the Under Secretary of Defense for Intelligence, in coordination\nwith the Under Secretary of Defense for Acquisition, Technology, and Logistics,\nincorporate into policy that:\n\n\n        1. Security Classification Guides forwarded to the Defense Technical\nInformation Center must be forwarded with the requisite DD Form 2024, and signed by\nthe appropriate Original Classification Authority to ensure accountability.\n\n\n        2. Defense Technical Information Center not accept DD Forms 2024 that are not\ncompletely filled out and signed by the appropriate agency.\n\n\n\n        3. A time requirement for the submission of updated SCGs be\n            established.\n\n\n\n5\n Regrading refers to changing a classification to the appropriate level based on the information\nbeing either overgraded (higher than appropriate) or undergraded (lower than appropriate).\n\n\n\n                                    DODIG-2013-142 | 30\n\x0c                                                                            Finding C\n\n\n\n       4. Reminders be sent to organizations as SCGs near biennial review\nrequirements.\n\n\nUnder Secretary of Defense for Intelligence Comments\nThe Under Secretary of Defense for Intelligence concurred with our recommendations.\n\n\nUnder Secretary of Defense for Acquisition, Technology\nand Logistics Comments\nThe Under Secretary of Defense for Intelligence concurred with our recommendations.\n\n\nOur Response\nThe Under Secretary of Defense for Intelligence and the Under Secretary of Defense for\nAcquisition, Technology and Logistics concurred with our comments; however,\nmanagement did not provide information to identify what actions will be taken and the\ndate on which recommendations will be completed. Therefore, we request additional\ncomments by October 30, 2013.\n\n\n\n\n                                DODIG-2013-142 | 31\n\x0c\x0c                                                                                      Finding D\n\n\n\n\n        \xe2\x80\xa2     promote understanding of DoD Information Security Program policies\n              and requirements and their importance to national security and national\n              interests;\n\n        \xe2\x80\xa2     instill and maintain continued awareness of security requirements; and\n\n        \xe2\x80\xa2     assist in promoting a high degree of motivation to support program\n              goals.\n\nThe Manual states that initial, refresher, training for OCAs, and specialized training must\nbe given to persons who apply original and derivative classification markings. It also\nrequires suspending OCA and derivative classification authority if these personnel fail to\nmeet the training requirements.\n\nThe Manual further states that security education and training may be accomplished by\nestablishing programs within the DoD Component, or using external resources, such as\nthe CDSE, or a combination of the two.            Security education and training shall be\nconducted continuously, not periodically. Other information and promotional efforts\nwill supplement periodic briefings, training sessions, and other formal presentations to\nensure that awareness and performance quality is continually maintained.\n\nThe training will include defining a security incident, a violation, and a compromise of\nclassified information, examples of each, and explaining the criminal, civil, and\nadministrative sanctions that may be taken against an individual who fails to comply\nwith program requirements or fails to protect classified information from unauthorized\ndisclosure.\n\nUsing job performance aids 6 and other substitutes for formal training is encouraged if\ndetermined to be the most effective way to achieve program goals.                     Circulating\ndirectives or similar material on a read-and-initial basis shall not be considered as the\nsole means of fulfilling any of the Enclosure\xe2\x80\x99s specific requirements. While no central\ntracking system exists, each organization tracks training to ensure that required\nperiodic training is conducted.\n\n\n6\n  Performance aids are sometimes called job aids, which is defined as a repository for\ninformation, processes, or perspectives that is external to the individual and that supports work\nand activity by directing, guiding, and enlightening performance. For example, CDSE uses an\nOCA DeskTop Reference and a Derivative Classification Training guide, which are used as job\nperformance aids.\n\n\n\n                                    DODIG-2013-142 | 33\n\x0c                                                                             Finding D\n\n\n\n\nCDSE Curriculum Revised to Meet the Requirements of\nE.O. 13526\n\nOCA and Derivative classifier curriculum complies with the requirements outlined in\nE.O. 13526 and DoD Manual 5200.01, Volumes 1-4. OCA and Derivative classifiers have\nthe option of receiving their required and refresher training through various training\nplatforms, to include instructor-led, eLearning, job aids, videos, shorts, and webinars.\nFunctional areas taught by CDSE include:\n\n\n   \xe2\x80\xa2   General Security;\n   \xe2\x80\xa2   Cybersecurity;\n   \xe2\x80\xa2   Industrial Security;\n   \xe2\x80\xa2   Information Security;\n   \xe2\x80\xa2   International Security;\n   \xe2\x80\xa2   Operations Security;\n   \xe2\x80\xa2   Personnel Security;\n   \xe2\x80\xa2   Physical Security;\n   \xe2\x80\xa2   Sensitive Compartmented Information;\n   \xe2\x80\xa2   Special Access Programs; and\n   \xe2\x80\xa2   Counterintelligence\n\n\nCDSE\xe2\x80\x99s Education Division offers graduate-level courses designed specifically to develop\nleaders for the DoD security community. Courses are delivered using a collaborative\nonline learning environment and are available to U.S. military and government\nemployees worldwide. No tuition or fees are required; however, some courses require\npurchasing textbooks. Most courses have received the American Council on Education\xe2\x80\x99s\nCollege Credit Recommendation Service ACE College Credit recommendation.\n\n\nCDSE\xe2\x80\x99s Training Division embraces the training challenges that the DoD security\ncommunity currently faces. With an eye toward innovation, the Training Division offers\ndiverse training courses and products presented through a variety of learning\nplatforms. The Training Division\xe2\x80\x99s courses and products continuously meet the needs of\neach target population\xe2\x80\x99s needs and are streamlined to the contemporary learner\xe2\x80\x99s\nperformance requirements and busy schedules.\n\n\n\n\n                                 DODIG-2013-142 | 34\n\x0c                                                                                Finding D\n\n\n\n\nThe Security Professional Education and Development program is a DoD security\nworkforce professionalization initiative that DSS administers through the CDSE. The\nSecurity Professional Education and Development program supports achievement of\ncommunity-defined skill standards and serves as a foundation for security workforce\nprofessionalization. The Security Professional Education and Development program\nfocuses on three critical elements: Education, Training, and Certification. Detailed\ninformation on the Security Professional Education and Development program is in DoD\nOIG Report No. DoDIG-2011-001, \xe2\x80\x9cAssessment of Security Within the Department of\nDefense \xe2\x80\x93 Training, Certification, and Professionalization,\xe2\x80\x9d October 6, 2011.\n\n\nThe CDSE has a number of ways it conducts outreach, as follows:\n\n\n   \xe2\x80\xa2   Facebook -- http://www.facebook.com/#!/pages/CDSE-Center-for-Development-\n       of-Security-Excellence/111635548863732.          CDSE uses Facebook to relay\n       information about upcoming classes and new products.            CDSE also relays\n       information from other sources about the work that DoD accomplishes.           The\n       account was created in April 2010 and is updated regularly.\n\n   \xe2\x80\xa2   Twitter -- https://twitter.com/TheCDSE. Since its creation in September 2010,\n       CDSE has posted 516 tweets, providing information on upcoming courses, new\n       course releases, as well as other CDSE news that target populations may find\n       important.\n\n   \xe2\x80\xa2   The CDSE YouTube Channel -- http://www.youtube.com/user/dsscdse. CDSE\n       has over 14,500 combined views of the videos and presentations on its YouTube\n       Channel. The channel\xe2\x80\x99s contents include video job aids, informational videos,\n       and recorded webinars.\n\nThe CDSE also periodically sends an electronic newsletter called the \xe2\x80\x9cCDSE Flash\xe2\x80\x9d that\nprovides a multitude of updates, including those about training. The newsletter is\nextremely informative. But it can only be sent to those individuals who have taken a\nCDSE course where they provided their email addresses. However, by forwarding the\nnewsletter to all the security managers, they could send it to all of their organization\xe2\x80\x99s\noriginal and derivative classifiers, where these individuals could get updates on new\ntraining and other matters.\n\n\n\n\n                                 DODIG-2013-142 | 35\n\x0c                                                                                   Finding D\n\n\n\n\nHowever, organization security representatives could ensure, through increased\noutreach, that OCAs and Derivative Classifiers are provided CDSE information. Such\noutreach would also ensure that these individuals are kept aware that training\nopportunities are always available.\n\n\nWe should emphasize that some organizations had very comprehensive and, depending\non the mission, tailored training programs. However, CDSE can provide consistency in\nsecurity education and training for both DoD and industry.\n\n\nConclusion\nWe found that policy requires initial, refresher, specialized training, and training for\nOCAs and persons who apply derivative classification markings.              It also requires\nsuspending OCA and derivative classification authority if these personnel fail to meet\nthe training requirements. Several persons we interviewed did not know of the DSS,\nand were not aware of the CDSE and its course offerings.\n\n\nRecommendation, Management Comments, and Our\nResponse\nD. We recommend that the Under Secretary of Defense for Intelligence develop a plan\nto:\n\n\n      1. Enhance its outreach to the security community to expand awareness of the\n         Center for Development of Security Excellence.\n\n\n      2. Ensure all original and derivative classifiers receive relevant and timely training\n         that is tailored to current policy, procedures, rules, and regulations.\n\n\nUnder Secretary of Defense for Intelligence Comments\nThe Under Secretary of Defense for Intelligence concurred with our recommendations.\n\n\nOur Response\nThe Under Secretary of Defense for Intelligence concurred with our recommendation;\nhowever, management did not provide information to identify what actions will be\ntaken and the date on which recommendations will be completed. Therefore, we\nrequest additional comments by October 30, 2013.\n\n\n\n                                   DODIG-2013-142 | 36\n\x0c                                                                               Appendix A\n\n\n\n\nAppendix A: Observations\nWe evaluated the effectiveness of policies for developing classification decisions;\nclassification by derivative classifiers; effectiveness of self-inspection programs; and IC\nCross-Cutting Issues. While there is need for improvement in all areas, because DoD is\nin the early stages of addressing these challenges, we believe the most effective method\nof oversight is to monitor these challenges and then identify and assess DoD\xe2\x80\x99s\nimprovements in our 2016 report under P.L. 111-258. We will also provide information\nto the IC IG as needed as issues arise during this period. Our observations of these\nevaluation areas are as follows:\n\n\nObservation A. Effectiveness of Policies for\nDeveloping Classification Decisions\nWe found that the policy for developing classification decisions is effective. We also\nfound no instances where information was originally classified for reasons other than\nthe defined areas for classification.\n\n\nWhile we did find some instances of over-classification, we do not believe that those\ninstances concealed violations of law, inefficiency, or administrative error; prevented\nembarrassment to a person, organization, or agency; restrained competition; or\nprevented or delayed the release of information that did not require protection in the\ninterest of national security.     However, we did find several instances where the\ninaccurate use of dissemination control and handling markings unnecessarily restricted\ninformation sharing.\n\n\nThis observation section will focus on the core issues of original classification to include\nthe appropriateness of original classification decisions and the proper marking of\nclassified information, which may include proper application of dissemination control\nmarkings.\n\n\n\n\n                                   DODIG-2013-142 | 37\n\x0c                                                                                 Appendix A\n\n\n\n\nOriginal Classification Decision Process\n\nOriginal classification is the act of making an initial decision that information requires\nprotection in the interest of national security and could be expected to cause damage if\nsubjected to unauthorized disclosure. It is a six-step process in which the classifier\nmust answer specific questions at each step and make considerations and decisions\nbefore classifying information. This process is designed to help OCAs make quality\nclassification decisions, as outlined in the Defense Security Service (DSS), Center for\nDevelopment of Security Excellence (CDSE). 7 The steps in the OCA desktop reference\nguide are described as follows:\n\nStep 1 -\xe2\x80\x93 Determination of Official Government Information\n\nThe OCA must determine if the information being considered for classification is official.\n\xe2\x80\x9cOfficial\xe2\x80\x9d in this context is defined as information owned by, produced by or for, or\nunder the control of the U.S. Government. Without the Government having some official\ninterest in the information, classification is not an option. If the information is not\nofficial, the process stops at Step 1, as the information would be ineligible for\nclassification. The Government would have to acquire proprietary or other official\ninterests before information could be classified. Defining information as \xe2\x80\x9cofficial\xe2\x80\x9d may\nsometimes cause confusion. Some information may fall within the criteria of the Patent\nSecrecy Act of 1952 and/or may require guidance from legal counsel. If the information\nis deemed official, the OCA would move to Step 2 in the decision process.\n\nStep 2 -- Determination of Eligibility for Classification\n\nThe OCA must consider if the information is eligible for classification, and if it is eligible,\ndetermine if the information is limited or prohibited from being classified.\n\nEligibility for Classification\n\nIf the information under consideration for classification cannot be placed in one or more\nof eight categories, it cannot be classified. The eight categories of information that E.O.\n13526 currently identifies that can be considered for classification are:\n\n7\n The CDSE provides DoD with a security center of excellence for professionalizing the security\ncommunity and for being the premier provider of security education and training for DoD and\nindustry under the National Industrial Security Program. The CDSE provides development,\ndelivery, and exchange of security knowledge to ensure a high-performing workforce capable of\naddressing security challenges.\n\n\n\n                                   DODIG-2013-142 | 38\n\x0c                                                                               Appendix A\n\n\n\n    \xe2\x80\xa2   military plans, weapons systems, or operations;\n\n    \xe2\x80\xa2   foreign government information;\n\n    \xe2\x80\xa2   intelligence activities (including covert action), intelligence sources or methods,\n        or cryptology;\n\n    \xe2\x80\xa2   foreign relations or foreign activities of the United States, including confidential\n        sources;\n\n    \xe2\x80\xa2   scientific, technological, or economic matters relating to national security;\n\n    \xe2\x80\xa2   U.S. Government programs for safeguarding nuclear materials or facilities;\n\n    \xe2\x80\xa2   vulnerabilities or capabilities of systems, installations, infrastructures, projects,\n        plans, or protection services relating to national security; and\n\n    \xe2\x80\xa2   weapons of mass destruction.\n\nThe information is not eligible for classification if another OCA has already classified it\nor if classification guidance is not already available in the form of security classification\nguides, plans, or other memorandums.              Within DoD, the majority of existing\nclassification guidance is indexed and issued via the Defense Technical Information\nCenter (DTIC), at www.dtic.mil.\n\nClassification Prohibitions and Limitations\n\nOnce information has been determined eligible for classification, the OCA must\ndetermine if the information is limited or prohibited from being classified.              In\naccordance with E.O. 13526, information may not be classified, continued to be\nmaintained as classified, or fail to be declassified in order to:\n\n    \xe2\x80\xa2   conceal violations of law, inefficiency, or administrative error;\n\n    \xe2\x80\xa2   prevent embarrassment to a person, organization, or agency;\n\n    \xe2\x80\xa2   restrain competition;\n\n    \xe2\x80\xa2   prevent or delay the release of information that does not require protection in\n        the interest of national security.\n\nLimitations to classifications include:\n\n\n\n                                   DODIG-2013-142 | 39\n\x0c                                                                           Appendix A\n\n\n\n\xe2\x80\xa2   basic scientific research information not clearly related to national security\n    should not be classified;\n\n\xe2\x80\xa2   information that has been declassified and released to the public under proper\n    authority may be reclassified only when the information may be reasonably\n    recoverable without bringing undue attention to the information. This means\n    that:\n\n        o   most individual recipients or holders are known and can be contacted\n            and all forms of the information to be reclassified can be retrieved from\n            these individuals, and\n\n        o   if the information has been made available to the public via such\n            facilities as U.S. Government archives or reading rooms, it can be or has\n            been withdrawn from public access without significant media, public\n            attention, or notice.\n\n\xe2\x80\xa2   DoD Component Heads, other than the Secretaries of the Military Departments,\n    should submit recommendations for reclassification of information under their\n    jurisdiction to the Secretary of Defense through the USD(I). Recommendations\n    for reclassification must include, on a document-by-document basis:\n\n        o   a description of the information;\n\n        o   all information necessary for the original classification decision in\n            accordance with E.O 13526, including classification level of the\n            information and declassification instructions to be applied.\n\n        o   when and how the information was released to the public.\n\n        o   an explanation as to why the information should be reclassified. Include\n            the applicable reason in accordance with E.O. 13526 and describe what\n            damage could occur to national security and what damage may have\n            already occurred as a result of the release.\n\n        o   the number of recipients and/or holders and how they will be notified of\n            the reclassification.\n\n        o   how the information will be recovered; and\n\n\n\n\n                                DODIG-2013-142 | 40\n\x0c                                                                              Appendix A\n\n\n\n            o   whether the information is in the custody of the National Archives and\n                Records Administration and whether the Archivist of the United States\n                must be notified of the reclassification.\n\nStep 3 -\xe2\x80\x93 Determination of the Impact on National Security\n\nAnother essential decision OCAs must make before they can say the information has\nbeen classified is to determine the potential for damage to national security if\nunauthorized release occurs. If it is determined that no potential exists for damaging\nnational security, the information will not be classified. If the potential exists for\ndamage to national security and the information is determined eligible for classification\nas defined in Step 2, the information is then determined classified.\n\nWhile it is not required to prepare a written description of the potential for damage to\nnational security before the information can be classified, OCAs must be able to defend\ntheir decision and identify or describe the potential damage if their decision is\nquestioned or challenged. It is recommended that the OCA justify this decision in\nwriting at the time when it is made so that when others assume their OCA\nresponsibilities, they will have proper information.\n\nThe OCA must also consider both the impact of classification itself, how over-\nclassification could potentially impede the operational effectiveness of entities that need\nthe information to complete their mission, and the possibility of protection.            If\nclassification is applied or reapplied, a reasonable possibility must exist that the\ninformation can be protected from unauthorized disclosure.\n\nStep 4 -- Determination of Appropriate Classification Level\n\nThe OCA must evaluate the impact of classification in order to identify the appropriate\nclassification level. The OCA must determine how sensitive the information is, what the\npotential damage to national security would be if the information was not protected,\nand assign a classification level based on that determination.         The OCA must use\nreasoned judgment to consider the extent of potential damage.\n\nThe classification levels are defined in relation to their potential damage to national\nsecurity:\n\n   \xe2\x80\xa2   If unauthorized disclosure of the information could reasonably be expected to\n       cause exceptionally grave damage to national security, it should be classified as\n       TOP SECRET.\n\n\n\n                                  DODIG-2013-142 | 41\n\x0c                                                                             Appendix A\n\n\n\n    \xe2\x80\xa2   If unauthorized disclosure of the information could reasonably be expected to\n        cause serious damage to national security, it should be classified as SECRET.\n\n    \xe2\x80\xa2   If unauthorized disclosure of the information could reasonably be expected to\n        cause damage to national security, it should be classified as CONFIDENTIAL.\n\nStep 5 -- Determination of Classification Duration\n\nAfter determining the level of classification, the OCA must determine the duration of\nclassification.   This involves reviewing the level of classification to determine\ndowngrading requirements and declassification when it is determined that the\ninformation no longer requires classification.\n\nDowngrading:\n\nThe OCA must evaluate the information to determine if a future specific date or event\ncould occur that results in diminishing the damage to national security to the point that\nallows for lowering the classification level. If a change occurs in the information\xe2\x80\x99s\nsensitivity, the OCA will need to assign a date or event for downgrading that\ninformation. If the OCA determines that the sensitivity will not decrease or cannot make\na determination on decreased sensitivity, the OCA will proceed to determine the\ndeclassification instructions.\n\nDeclassification:\n\nThe OCA must make declassification determinations for all classification decisions.\nWhen considering the duration of classification, the OCA must follow these guidelines:\n\n    \xe2\x80\xa2   if the OCA knows of a date within 10 years where the potential for damage from\n        compromise is no longer a national security concern, then that date is assigned\n        as the declassification date;\n\n    \xe2\x80\xa2   if the OCA cannot determine a date, but can identify an event that is expected to\n        occur within the next 10 years where the potential for damage from\n        compromise is no longer a national security concern, then that event is assigned\n        as the declassification instruction;\n\n    \xe2\x80\xa2   if the OCA determines that information requires protection beyond 10 years of\n        the original classification, the OCA may assign a date or event up to, but not\n        exceeding, 25 years from the date of the original decision;\n\n\n\n\n                                  DODIG-2013-142 | 42\n\x0c                                                                             Appendix A\n\n\n\n\n   \xe2\x80\xa2   human intelligence exemption -\xe2\x80\x93 An OCA shall apply the \xe2\x80\x9c50X1-HUM\xe2\x80\x9d exemption\n       with no date of declassification when classifying information that could be\n       expected to reveal the identity of a confidential human source or human\n       intelligence source. Only OCAs having jurisdiction over such information may\n       use this designation;\n\n   \xe2\x80\xa2   weapons of mass destruction exemption \xe2\x80\x93- An OCA shall apply the \xe2\x80\x9c50X2-WMD\xe2\x80\x9d\n       exemption with no date of declassification when classifying information that\n       could be expected to reveal the development, production, or use of weapons of\n       mass destruction. Only OCAs having jurisdiction over such information may use\n       this designation;\n\n   \xe2\x80\xa2   the 25X markings are applied when information is exempt from 25-year\n       automatic declassification, and cannot be used unless the specific information\n       has been approved through the Interagency Security Classification Appeals\n       Panel, generally in the form of a declassification guide. Such information must\n       be incorporated into classification guides.      The classification guide would\n       include the specific element of information and the level of classification.\n       (Examples of how this works would be \xe2\x80\x9c25X4, 20401010\xe2\x80\x9d or \xe2\x80\x9c25X9,\n       20300125.\xe2\x80\x9d) When the 25X marking is applied, the \xe2\x80\x9cDeclassify on\xe2\x80\x9d line would\n       include the symbol \xe2\x80\x9c25X\xe2\x80\x9d and a brief reference to that category and the new date\n       or event for declassification. For a complete list of the exemptions, refer to E.O.\n       13526; and\n\n   \xe2\x80\xa2   information classified in accordance with the Atomic Energy Act of 1954, as\n       amended (Restricted Data and Formerly Restricted Data), is exempt from\n       declassification requirements. For Restricted Data, classification decisions are\n       codified in the Department of Energy Classification Guide.          For Formerly\n       Restricted Data, classification decisions are documented in the Joint Department\n       of Energy/DoD Classification Guide.\n\nStep 6 -- Providing and Communicating Guidance for Derivative\nClassification\n\nThe OCA\xe2\x80\x99s final step in the original classification decision process is designating the\ninformation as classified and to communicate the decision. Three methods exist for\ncommunicating the decision.\n\n\n\n\n                                DODIG-2013-142 | 43\n\x0c                                                                                Appendix A\n\n\n\n    \xe2\x80\xa2   SCGs/declassification guides;\n\n    \xe2\x80\xa2   Properly-marked source documents; and\n\n    \xe2\x80\xa2   outline classification instructions on a DD Form 254, \xe2\x80\x9cDoD Contract Security\n        Classification Specification.\xe2\x80\x9d\n\nThe preferred method for communicating classification decisions is to communicate it\nthrough an SCG. The least common method for communicating the decision is to outline\nclassification instructions on a DD Form 254, which identifies all contractor-specific\nsecurity requirements and guidance. Its rare use may occur when a contract is required\nand needs classification instructions, but a classification guide is unavailable.\n\nOnce the decision is communicated, the decisions will be used by others who must work\nwith the information to make proper derivative classification decisions and ensure the\ninformation is properly protected from unauthorized disclosure. OCAs have the vital\ntask of effectively communicating their decisions.\n\n\nSecurity Classification Guide Analysis\n\nBecause the SCG is the preferred method for communicating classification decisions, we\nconducted a review of 254 SCGs that were available online at the DTIC website to\ndetermine the accuracy of information and identify areas for improvement. SCG content\nwas consistent with established guidance.         The SCGs contained valid reasons for\nclassification and consistently provided declassification guidance.\n\nWe found no instances where information was classified for reasons other than the\ndefined areas for classification. Based on our review, OCAs are effectively making\nclassification determinations on information that derivative classifiers will use. Finding\nD does identify some areas of concern regarding SCG administration and management.\nHowever, these concerns do not reflect issues with classification determinations or the\nprocedures used to make classification decisions.\n\n\nConclusion\nWe found that the policy for developing classification decisions is effective. For a vast\nmajority of documents, we found no instances where information was classified for\nreasons other than the defined areas for classification.\n\n\n\n\n                                  DODIG-2013-142 | 44\n\x0c                                                                              Appendix A\n\n\n\n\nObservation B. Classification by Derivative Classifiers\nCurrent standards and guidance exist for derivative classifiers; however, guidance is\nconflicting in some cases and not updated in others. Absent consistent policies and\ncoordinated training, persistent misclassification of classified documents will continue.\nHowever, as stated in Finding A, we mapped DoD issuances to E.O. 13526 and 32 C.F.R.,\nPart 2001, and as a result policies were adopted at the Office of the Secretary of\nDefense-level, but had not yet been adopted/promulgated at the agency level.\n\n\nThis section will focus on the core issues relating to derivative classification and the\nindividuals who make derivative classification decisions. All personnel with an active\nsecurity clearance can perform derivative classification.      All personnel who apply\nderivative classification markings must receive training on the proper application\nprinciples of E.O. 13526 prior to derivatively classifying information and at least once\nevery two years thereafter. Information may be derivatively classified from a source\ndocument or documents, or through using a classification guide.\n\nDerivative classifiers identified issues with conflicting and confusing marking standards.\nThe issues identified in the document review section reflect inconsistent standards and\nguidance with respect to the marking of derivatively classified documents. This is\nparticularly evident with emails. The documents exemplify the application of varying\nstandards in the marking of derivatively classified documents. The documents also\nprovide evidence of the disparate methods that derivative classifiers employ to resolve\nclassification discrepancies, which can adversely affect the sharing of classified\ninformation with key stakeholders and individuals with an identified need to know.\n\n\nInput from Derivative Classifiers\nWe reviewed comments from derivative classifiers to assess their knowledge of the\nclassification process and the appropriateness of derivative classification actions. To\nthat end, we asked if derivative classifiers had encountered issues with the classification\nof similar information at differing levels, inaccurate portion markings, conflicting\nguidance and the constraints that control markings might place on information\nsharing. We found that a majority of respondents have encountered similar information\nclassified at different levels.\n\nRespondents also noted the conflicting guidance regarding dissemination control\nmarkings. (See Appendix A, Observation D for further details on dissemination control\nmarkings.)     A majority also received no training on the process for challenging\ninformation they believed to be inappropriately classified.\n\n\n\n                                  DODIG-2013-142 | 45\n\x0c                                                                               Appendix A\n\n\n\nOur review of a sample of classified documents indicates that these inconsistencies have\nresulted in improperly and inaccurately marked documents, with several instances of\nmisclassification and a few instances of over-classification. Absent consistent policies\nand coordinated training, persistent misclassification of classified documents will\ncontinue. These incongruities burden derivative classifiers, who, as a result, resolve\ndiscrepancies inconsistently. Inappropriately classified information can also impede\nthe sharing of information with stakeholders and individuals with a legitimate need-to-\nknow.\n\nWhen asked if they had ever encountered similar information classified at different\nlevels, more than 60 percent of derivative classifiers queried responded affirmatively.\nOf that number, 18 percent indicated that when they tried to resolve classification\ninconsistencies, the guidance was neither clear nor consistent.           The majority of\nrespondents who encountered differing levels of classification for the same information\nchose to use the higher classification level to mark their derivative documents, using a\nbetter-safe-than-sorry approach to classification.\n\n\nSixty eight percent of respondents identified concerns with the consistent application of\nportion markings in classified documents, while 27 percent expressed specific concerns\nwith the system of dissemination controls. Specific comments included the need for\nmore training using portion markings and classification authority blocks to correspond\nwith new guidance.      One respondent noted the presence of conflicting and non-\nauthoritative policies citing organizational, ISOO, and Controlled Access Program\nCoordination Office (CAPCO) guidance that is not always in harmony.\n\n\nReview of Classified Documents\nWe conducted an independent review of classified documents to determine the\nprevalence of improperly and inaccurately marked documents. We reviewed 220\nclassified documents for consistency in portion markings, dissemination controls,\nclassification authorities, and declassification guidance. In total, we found that 70\npercent of the 220 documents reviewed had classification discrepancies. Moreover, 23\ndocuments, or approximately 10 percent, were misclassified or over-classified.\n\n\nA majority of the documents (52 percent) had issues with the classification block to\ninclude incorporating new guidance regarding the \xe2\x80\x9cclassified by\xe2\x80\x9d line. Without the\n\xe2\x80\x9cclassified by\xe2\x80\x9d information, in the event of a challenge, a successful potential challenge is\nproblematic. Other documents still cited E.O. 12958 for classification authorities and\ndeclassification exemptions.\n\n\n\n                                  DODIG-2013-142 | 46\n\x0c                                                                              Appendix A\n\n\n\n\nOne-hundred percent of emails we reviewed contained errors in marking or\nclassification. To improve, DoD is working on efforts to enhance proper classification in\nthe electronic environment to ensure meeting the requirements of Section 1.6 and 2.1 of\nE.O. 13526. Of particular concern is the amount of misclassification historically seen in\nroutine information and emails on classified information systems. This misclassification\nis often abetted by default email marking tool settings that allow the user to accept the\ndefault without further consideration of whether other markings are required by the\nemail\xe2\x80\x99s content. To address this situation, DoD is working to issue technical guidance to\nsystem administrators requiring:\n\n   \xe2\x80\xa2   email marking tools be deployed to all classified information systems;\n\n   \xe2\x80\xa2   the tools be configured with no default setting; and\n\n   \xe2\x80\xa2   the requirement for a classification marking be enforced by the tool/technical\n       solution.\n\nSpecific examples of over-classification included a document that referenced\ninformation from an open-source publicly-available report on corruption.               The\nderivative classifier classified the analysis of the information citing no classification\nauthority. Another instance involved a template automatically marked SECRET even\nthough the entire content was shown to have \xe2\x80\x9cnothing significant to report.\xe2\x80\x9d\n\n\nConclusion\nDerivative classifiers identified issues with conflicting and confusing marking standards.\nMoreover, they noted that supporting guidance is not always updated to reflect current\nclassification standards.   Derivative classifiers also expressed frustration regarding\never-changing standards and the sometimes unclear and inconsistent processes applied\nto resolve classification concerns. However, as stated in Finding A, we mapped DoD\nissuances to E.O. 13526 and 32 C.F.R., Part 2001, and as a result policies were adopted\nat the Office of the Secretary of Defense-level,              but had not yet been\nadopted/promulgated at the agency level.\n\nThe issues identified in the document review section reflect inconsistent standards and\nguidance regarding the marking of derivatively classified documents.               This is\nparticularly evident with emails, where those we reviewed displayed some form of\nmarking or classification error. The documents exemplify the application of varying\nstandards in the marking of derivatively classified documents, and provide evidence of\n\n\n\n                                 DODIG-2013-142 | 47\n\x0c                                                                                 Appendix A\n\n\n\nthe disparate methods employed by derivative classifiers to resolve classification\ndiscrepancies.   These inconsistencies can adversely affect the sharing of classified\ninformation with key stakeholders and individuals with an identified need-to-know.\n\n\nWe will continuously monitor DoD\xe2\x80\x99s progress to strengthen these efforts, especially as it\nrelates to agency efforts to update policy to fully align with Office of the Secretary of\nDefense-level policy, as well as classification management in the electronic\nenvironment, and report the progress in our 2016 report under P.L. 111-258.\n\n\nObservation C. Effectiveness of Self-Inspection\nPrograms\nWe found that for the self-inspection programs the description, assessment and\nsummary, specific discrepancy reports, and successful practices provided a\ncomprehensive picture of DoD\xe2\x80\x99s overall security program management efforts.\n\n\nThis section will focus on the effectiveness of the agency self-inspection program.\nSection 5.4(d)(4) of E.O. 13526, and 32 C.F.R. Part 2001.60 requires SAOs to establish\nself-inspection programs and issues reports annually on these programs to the ISOO\nDirector. The reports provide information about the structure and implementation of\nthe agency's self-inspection program and details this program\xe2\x80\x99s findings, which the SAO\nestablished to help oversee the agency's classified national security information\nprogram.\nThroughout our evaluation, our findings were similar to those reporting in the DoD Self-\nInspection Program below.\n\n\nSelf-Inspection Reporting\nE.O. 13526, Section 5.4(d), requires agencies to establish and maintain ongoing self-\ninspection programs, and report each year to the ISOO Director on those programs.\nSelf-inspections evaluate the effectiveness of agency programs covering original\nclassification, derivative classification, declassification, safeguarding, security violations,\nsecurity education and training, and management and oversight. In addition, self-\ninspections include regular reviews of representative samples of agencies\xe2\x80\x99 original and\nderivative classification actions; these samples must encompass all agency activities\nthat generate classified information, and appropriate agency officials must be\nauthorized to correct misclassification actions.\n\n\n\n\n                                   DODIG-2013-142 | 48\n\x0c                                                                            Appendix A\n\n\n\nThe USD(I) developed its comprehensive DoD report based on the security posture\ninformation received from the SAOs of the following DoD entities:\n\n   \xe2\x80\xa2   the Department of the Army;\n\n   \xe2\x80\xa2   the Department of the Navy;\n\n   \xe2\x80\xa2   the Department of the Air Force;\n\n   \xe2\x80\xa2   the Joint Staff;\n\n   \xe2\x80\xa2   the Missile Defense Agency;\n\n   \xe2\x80\xa2   the Defense Advanced Research Projects Agency;\n\n   \xe2\x80\xa2   the Defense Threat Reduction Agency; and\n\n   \xe2\x80\xa2   the designated federal entities -- the Defense Intelligence Agency, the National\n       Geospatial-Intelligence Agency, the National Security Agency, and the National\n       Reconnaissance Office.\n\nSelf-Inspection Program Policy\n\n\n   \xe2\x80\xa2   DoD Manual 5200.01, Enclosure 2, Volume 1, paragraph 7d, requires SAOs to\n       establish and maintain an ongoing self-inspection and oversight program to\n       evaluate and assess the effectiveness and efficiency of the DoD Component\xe2\x80\x99s\n       implementation of that portion of the information security program pertaining\n       to classified information.\n\n\n   \xe2\x80\xa2   DoD Manual 5200.01, Enclosure 2, Volume 1, paragraph 7d(3), requires self-\n       inspections to be conducted at least annually, with the frequency established\n       based on program needs and classification activity. DoD Component activities\n       that originate significant amounts of classified information should be inspected\n       at least annually. Annual reports on the Component\xe2\x80\x99s self-inspection program\n       should be submitted, as required, by ISOO and/or USD(I).\n\n\n\n\n                                    DODIG-2013-142 | 49\n\x0c                                                                           Appendix A\n\n\n\n\nDoD Self-Inspection Results\n\nDescription of the DoD Self-Inspection Program\n\n\nIn accordance with E.O. 13526 and 32 C.F.R. Part 2001, and ISOO memorandum of June\n29, 2012, agencies were required to establish and maintain an ongoing self-inspection\nprogram, which includes the regular reviews of representative samples of the agency's\noriginal and derivative classification actions.\n\n\nDoD is a large department, comprised of more than 40 major Components. The USD(I)\nis designated as the SAO for the DoD Self-Inspection Program. DoD Manual 5200.01,\nVolumes 1-3, carry out E.O. 13526 and 32 C.F.R., Part 2001. DoD Components are\nrequired to carry out an information security program to protect classified national\nsecurity information.\n\n\nTo this end, a standard checklist was developed and forwarded to the Components to\nuse when developing their annual self-inspection reports. Some Components used\nalready-established methods to conduct their self-inspections and some used the\nUSD(I)-provided template. USD(I) received approximately 40 separate self-inspection\nreports. DoD Components used a variety of work methods to conduct self-inspections.\n\n\nThese methods included interviews of employees and contractors by security\nprofessionals, security managers, and designated teams; reviews of representative\nsamples of their classified information (document and electronic storage media) based\non unit or organizational mission; and inspections of facilities handling classified\nmaterials. Inspection schedules vary, but were conducted annually, quarterly, and\nrandomly, as necessary.\n\n\nThe DoD self-inspections evaluated general adherence to the principles and\nrequirements of E.O. 13526 and 32 C.F.R., Part 2001, and the overall effectiveness and\nimplementation of requirements from DoD Manual 5200.01 Volumes 1-3, covering:\n\n\n        \xe2\x80\xa2   Original Classification\n\n        \xe2\x80\xa2   Derivative Classification\n\n        \xe2\x80\xa2   Declassification\n\n\n\n\n                                  DODIG-2013-142 | 50\n\x0c                                                                             Appendix A\n\n\n\n       \xe2\x80\xa2   Safeguarding\n\n       \xe2\x80\xa2   Security Violations\n\n       \xe2\x80\xa2   Security Education and Training\n\n       \xe2\x80\xa2   Management and Oversight\n\nThe DoD Self-Inspection Program included and assessed all DoD Components that\ncreate, generate, produce, or handle classified information. Components were tasked\nwith analyzing their findings and taking measures to correct any deficiencies discovered\nduring the self-inspection process.\n\n\nComponents submitted their reports to the Office of the Under Secretary of Defense for\nIntelligence (OUSD(I)) Security Policy and Oversight Directorate, where submissions\nwere consolidated and then forwarded to ISOO.\n\n\nAssessment and Summary\n\n\nOriginal Classification: All DoD OCAs are designated as such in writing and have\nreceived formal, documented training. If DoD OCAs are found to be non-compliant\nfor any reason, their authority is suspended until they are in compliance.\nComponents with OCAs reported that 100 percent of these individuals have\nreceived required training and understand their responsibilities. DoD Components\nreported no specific issue items or material weaknesses during the self-inspection.\n\n\nDerivative Classification: Within DoD, all cleared personnel who generate or create\ninformation that is derivatively classified should ensure that the derivative\nclassification is made in accordance with DoD Manual 5200.01.             No specific,\nindividual delegation of authority is required. During this inspection period, most\nComponents reported that 90 to 100 percent of their derivative classifiers received\ntraining and know about their responsibilities as derivative classifiers (See Finding\nD with regard to security education and training). DoD Components reported no\nspecific issue items or material weaknesses during the self-inspection.\n\n\n\n\n                                 DODIG-2013-142 | 51\n\x0c                                                                              Appendix A\n\n\n\nDeclassification:       DoD policy provides specific guidelines pertaining to\ndeclassification and who is authorized in the Department to declassify information.\nDeclassification does not authorize releasing the information to the public. DoD\nComponents reported no specific issue items or material weaknesses during self-\ninspection. However, this issue remains of high interest with both the OUSD(I) and\nthe DoD Inspector General as the requirements of the \xe2\x80\x9cReducing Over-Classification\nAct\xe2\x80\x9d are carried out.\n\nSafeguarding: Each Component in DoD has policies and procedures in its possession\ngoverning the proper safeguarding of classified national security information. DoD\npolicy states that Components should have a system of control measures that ensure\nthat access to classified information is limited to authorized persons.        DoD is\neffectively applying agency-wide safeguarding measures for classified information\nin accordance with Department policies. DoD Components reported no specific\nissue items or material weaknesses during the self-inspection.\n\n\nSecurity Violations: On October 18, 2012, the Secretary of Defense mandated that\nall DoD Components use the central DoD-wide security reporting system that USD(I)\nestablished, in addition to existing reporting requirements.          This serves to\nstrengthen accountability in the DoD reporting system. DoD has also established an\nUnauthorized Disclosure Team whose mission is to prevent and deter DoD\npersonnel from unauthorized disclosure of classified information. In addition, DoD,\nin collaboration with the DNI, developed a strategic plan to address unauthorized\ndisclosures. This plan will integrate and strengthen DoD's processes to report,\nassess damage, and monitor implementation of administrative, management, and\ninvestigative actions. DoD Components reported no specific issue items or material\nweaknesses during the self-inspection.\n\nSecurity Education and Training: DoD policy states that all personnel, including\nDoD civilians, military members, and on-site support contractors, receive an initial\norientation about the DoD Information Security Program.           This orientation is\ndesigned to define classified information, produce a basic understanding of security\npolicies and principles, notify personnel of their responsibilities within the security\nprogram, and inform personnel of the administrative, civil, and/or criminal\nsanctions that can be applied, when appropriate. All DoD personnel with continuing\naccess to classified information must also receive annual refresher training that\nreinforces the policies, principles, and procedures covered in their annual and\nspecialized training.\n\n\n\n\n                                 DODIG-2013-142 | 52\n\x0c                                                                             Appendix A\n\n\n\n\nSecurity education and training is accomplished either by established programs\nwithin the Component or by using external resources, such as the CDSE of the DSS.\nSome DoD Components choose combining internal and external resources. DoD\ntraining includes initial training, annual refresher, OCA, derivative, and specialty\ntraining. DoD Components reported no specific issue items or material weaknesses\nduring the self-inspection.\n\nManagement and Oversight: The SAO that the head of the DoD Component appoints\nhas day-to-day responsibility for the direction, carrying out, and oversight of the\nComponent's information security program and for its efficient and effective\nimplementation. One of the Component SAO\xe2\x80\x99s responsibilities is to establish and\nmaintain an ongoing self-inspection and program oversight function.          All DoD\nComponents are in compliance with DoD policy relating to management and\noversight.\n\n\nDoD Components reported no specific issue items or material weaknesses during\nthe self-inspection. USD(I) is responsible for strategic oversight of DoD security\nprogram implementation.\n\n\nThe DSOAP operates in support of this oversight effort.         The DSOAP was not\ndesigned to conflict with, or circumvent Components' existing oversight\nmechanisms, but is a collaborative endeavor intended to assess the effectiveness of\nsecurity policies in operational environments. Oversight visits have allowed for\ntrend analysis and program improvements.\n\n\nSpecific Discrepancy Reports\n\n\nDuring the self-inspection process, DoD Components reported various discrepancies\nwith corrective action taken or planned.         The following are the most common\ndiscrepancies discovered:\n\n\n       \xe2\x80\xa2     missing overall classification on the top, bottom, front, and the back of\n             the classified document;\n\n       \xe2\x80\xa2     missing portion markings;\n\n       \xe2\x80\xa2     electronic media not properly marked;\n\n\n\n\n                                  DODIG-2013-142 | 53\n\x0c                                                                             Appendix A\n\n\n\n       \xe2\x80\xa2   end-of-day checks not conducted;\n\n       \xe2\x80\xa2   multiple sources, but these sources are not listed;\n\n       \xe2\x80\xa2   improper creation and marking of classified products; and\n\n       \xe2\x80\xa2   point/talking papers containing classified information improperly\n           marked.\n\nSuccessful Practices\n\n\nDoD Components identified best practices, as required in DoD policy, as follows:\n\n\n       \xe2\x80\xa2   using SharePoint to make available all information Security Managers\n           need to manage their program and share unit best practices;\n\n       \xe2\x80\xa2   creating and using an Electronic Security Manager Handbook;\n\n       \xe2\x80\xa2   providing and maintaining open communications between different\n           levels of management structure within the organization;\n\n       \xe2\x80\xa2   establishing online training tools to improve ability to track completion\n           of training requirements;\n\n       \xe2\x80\xa2   issuing the recently-developed quarterly Security Newsletter that\n           provides informational security articles, security updates, and upcoming\n           security courses;\n\n       \xe2\x80\xa2   maintaining an automated security incident reporting program;\n\n       \xe2\x80\xa2   maintaining complete inventories of all classified documents and\n           electronic media to provide precise tracking of classified holdings;\n\n       \xe2\x80\xa2   developing organization derivative classification training;\n\n       \xe2\x80\xa2   reviewing the process for public release of information;\n\n       \xe2\x80\xa2   maintaining a central Security Education and Awareness mailbox with\n           all questions answered by close of business;\n\n\n\n\n                                DODIG-2013-142 | 54\n\x0c                                                                                    Appendix A\n\n\n\n        \xe2\x80\xa2   tracking of mandatory annual security and derivative classifier training\n            by the Human Resources Information System of Record, which enhances\n            better oversight of training completion rates; and\n\n        \xe2\x80\xa2   developing a comprehensive security database, which reflects final\n            adjudication and investigation of security incidents.\n\n\nConclusion\nWe found that the description, assessment and summary, specific discrepancy reports,\nand successful practices offered a comprehensive picture of DoD\xe2\x80\x99s security program\nmanagement efforts. Additionally, based on our review of each entity\xe2\x80\x99s self-inspection\nreport, interviews, and questionnaire analysis, the DoD self-assessment report\xe2\x80\x99s\ninformation does provide an excellent opportunity to understand weaknesses,\nopportunities, and successful practices for program improvement.\n\n\nObservation D. Intelligence Community Cross-\nCutting Issues\nWe found instances where dissemination control markings were incorrectly applied,\nwhich could unnecessarily restrict the sharing of information. However, we also found\nthat DoD policy states that dissemination of information regarding intelligence sources,\nmethods, or activities should be consistent with directives that the DNI issued. DNI\nDirectives are electronically available to DoD personnel, as is the CAPCO Register and\nMarking Implementation Manual, 8 on the Joint Worldwide Intelligence Communications\nSystem (JWICS) and SECRET Internet Protocol Router Network (SIPRNET).\n\nFor IC components within the DoD, this section will focus on the organization\xe2\x80\x99s ability to\nadequately carry out appropriate ODNI-issued IC guidance related to classification\nmanagement, and classification and control markings. It will also determine if ODNI-\nissued IC policies, procedures, rules, regulations, or management practices may have, or\nare contributing to, persistent misclassification; or have resulted in the lack of access for\nDoD programs to ODNI-produced classified documents or information. The section is\nalso intended to inform and facilitate an understanding about whether \xe2\x80\x93- and the extent\nto which \xe2\x80\x93- national intelligence information is being provided to appropriate parties\nwithout delay or unnecessary restrictions.\n\n8\n  The [Controlled Access Program Coordination Office] CAPCO Register and Manual includes all\nmarkings authorized for use with classified or unclassified intelligence information, as\napplicable, to communicate one or more of the following: classification type and level, controlled\naccess programs, foreign government information, dissemination controls, disclosure and\nrelease determinations, and other warnings.\n\n\n\n                                    DODIG-2013-142 | 55\n\x0c                                                                                    Appendix A\n\n\n\n\nDoD Policy Related to Intelligence Community Guidance\nDefense Intelligence Components and personnel working with intelligence and\nintelligence-related information under DNI\xe2\x80\x99s purview refer to ICD 710, the \xe2\x80\x9cAuthorized\nClassification and Control Markings Register\xe2\x80\x9d -- the \xe2\x80\x9cCAPCO Register\xe2\x80\x9d -- and the IC\nClassification and Control Markings Implementation Manual for guidance on marking\nand dissemination of classified and unclassified intelligence information. The CAPCO\nRegister and associated Marking Implementation Manual are available electronically on\nthe JWICS and SIPRNET. IC-wide guidance and criteria (i.e., ICDs, Intelligence\nCommunity Policy Guidance, and CAPCO Register and Manual, etc) are referenced in\nDoD policy.\n\nCertain dissemination control markings are authorized for use only on intelligence\ninformation. Among these are \xe2\x80\x9cNOFORN,\xe2\x80\x9d 9 \xe2\x80\x9cRELIDO,\xe2\x80\x9d 10 and \xe2\x80\x9cIMCON.\xe2\x80\x9d 11 DoD\nIntelligence Components refer to policy and implementing guidance that the DNI issued\non marking intelligence and intelligence-related information and products under the\nDNI\xe2\x80\x99s purview. Information on intelligence control markings is in DoD Manual 5200.01,\nVolume 2, Appendix 2, February 24, 2012, to help those involved in other DoD activities\nto understand the meaning and use of such markings.\n\nBased on our analysis, interviews, and response to questionnaires, the NOFORN\ndissemination control marking was seemingly the most misunderstood dissemination\ncontrol marking, with the possibility of having a detrimental impact on sharing with\ncoalition partners. NOFORN is applied to classified intelligence that may not be released\nin any form to foreign governments, foreign nationals, foreign organizations, or non-U.S.\ncitizens without permission from the information\xe2\x80\x99s originator; however, in some\ninstances, legitimately releasing the information to foreign partners is not carefully\nconsidered.\n\n\n\n\n9\n  NOFORN (Not Releasable to Foreign Nationals) is applied to classified intelligence that may not\nbe released in any form to foreign governments, foreign nationals, foreign organizations, or non-\nU.S. citizens without permission of the information\xe2\x80\x99s originator.\n10\n   RELIDO (Releasable by Information Disclosure Official) is a dissemination control marking that\nmay be applied to national intelligence information to indicate that the originator has authorized\nDesignated Intelligence Disclosure Officials, or their designee, to make further release\ndeterminations in accordance with existing foreign disclosure policy and procedures.\n11\n   IMCON (Controlled Imagery) is used to protect sources and analytic methods associated with\nthe geospatial intelligence discipline that are particularly vulnerable to countermeasures, and if\ndisclosed or released, could negate or measurably reduce the effectiveness of those\nmethodologies.\n\n\n\n                                    DODIG-2013-142 | 56\n\x0c                                                                            Appendix A\n\n\n\nNOFORN\xe2\x80\x99s overuse was also mentioned, with one respondent saying that personnel\nsometimes placed NOFORN with no supporting requirement aimed at ensuring their\nproducts are not released to foreigners. Additional comments on NOFORN\xe2\x80\x99s use cited\nthe constraints it presented when organizations needed to share information with non-\nU.S. allies. In one instance, a \xe2\x80\x9cForeign Disclosure Officer\xe2\x80\x9d was asked to release the\nrequired information. Once approval was secured, the information was shared only to\ndiscover that the partners already had the information and had undergone a similar\nprocess with their \xe2\x80\x9cForeign Disclosure Officer\xe2\x80\x9d to pass the information to the United\nStates.\n\n\nOne respondent acknowledged that the reflexive marking of a SECRET document with\nNOFORN was a problem, citing a concern that some people believe that without\nNOFORN, information was automatically shared with partner nations. The respondent\nsaid that personnel did not realize that SECRET information is automatically not\nreleased and that mechanisms (e.g., tetragraphs) exist to regulate the release of\ninformation without needing to apply the additional control of a NOFORN caveat. The\n\xe2\x80\x9cconflicting guidance from the Intel community\xe2\x80\x9d was also cited as a concern, resulting in\nadding confusing marking requirements.\n\n\nReflecting the above comments, 26 percent of derivative classifiers that were\nquestioned identified the unnecessary use of dissemination control markings. A small\nnumber (five percent) said that dissemination control markings prevented the release\nof information to stakeholders or persons with a verified need-to-know.\n\n\nConclusion\nWe found instances where dissemination control markings were incorrectly applied,\nwhich could cause unnecessary restriction of information sharing. However, we also\nfound that DoD policy addressing dissemination of information regarding intelligence\nsources, methods, or activities, was consistent with DNI-issued directives.          DNI\ndirectives are electronically available, as is the CAPCO Register and Marking\nImplementation Manual, on JWICS and SIPRNET.            Because dissemination control\nmarkings of intelligence information are the DNI\xe2\x80\x99s purview, we will monitor and\ncomment further for the 2016 report under P.L. 111-258.\n\n\n\n\n                                DODIG-2013-142 | 57\n\x0c                                                                              Appendix B\n\n\n\n\nAppendix B\n\nComputer-Processed Data\nWe did not rely on computer-processed data to perform this evaluation.\n\n\nUse of Technical Assistance\nDuring the evaluation, we requested and received technical assistance from the DoD\nOffice of Inspector General Quantitative Methods Division (QMD). We worked with\nQMD during our planning phase.\n\n\nPrior Coverage\nIn the last seven years, the GAO issued one report on DoD\xe2\x80\x99s Information Security\nprogram. Unrestricted GAO reports are at http://www.gao.gov. The DoD OIG has\nissued three reports discussing security within the DoD.         DoD OIG reports are at\nhttp://www.dodig.mil/Ir/reports.\n\n\nYou can obtain information about the Department of Defense Office of Inspector General\nfrom DoD Directive 5106.01, \xe2\x80\x9cInspector General of the Department of Defense (IG\nDoD),\xe2\x80\x9d April 20, 2012; and DoD Instruction 7050.03, \xe2\x80\x9cOffice of the Inspector General of\nthe Department of Defense Access to Records and Information,\xe2\x80\x9d March 22, 2013. Our\nwebsite is www.dodig.mil.\n\n\nGAO\nGAO Report No. GAO-06-706, \xe2\x80\x9cDoD Can More Effectively Reduce the Risk of\nClassification Errors,\xe2\x80\x9d June 30, 2006.\n\n\nDoD OIG\nDoD OIG Report No. 10-INTEL-09, \xe2\x80\x9cAssessment of Security Within the Department of\nDefense: Tracking and Measuring Security Costs,\xe2\x80\x9d August 6, 2010.\n\n\nDoD OIG Report No. DoDIG-2012-001, \xe2\x80\x9cAssessment of Security Within the Department\nof Defense: Training, Certification, and Professionalization,\xe2\x80\x9d October 6, 2011.\n\n\nDoD OIG Report No. DoDIG-2012-114, \xe2\x80\x9cAssessment of Security Within the Department\nof Defense: Security Policy,\xe2\x80\x9d July 27, 2012.\n\n\n\n\n                                  DODIG-2013-142 | 58\n\x0c            Center for Development of Security Excellence (CDSE) Course Offerings\n\n\n\n\nCenter for Development of Security\nExcellence (CDSE) Course Offerings\n\nDoD\xe2\x80\x99s CDSE offers several different activities designed to train and educate those\ncharged with original and derivative classification duties. CDSE\xe2\x80\x99s eLearning \xe2\x80\x9cOriginal\nClassification Course\xe2\x80\x9d is 90 minutes long and provides the policy guidance for, and\npurpose of, original classification. The course defines original classification, identifies\nOCA requirements and qualifications, reviews the six steps of the original classification\ndecision process, discusses original classification limitations and prohibitions, explains\nthe basis for determining classification levels and duration, and lists the authorized\nmeans for providing classification guidance. The target audience for this course is DoD\nmilitary, civilian, and contractor personnel who propose, prepare, develop, or help with\noriginal   classification   decisions.      Information     on    this   course    is   at:\nhttp://cdse.edu/catalog/elearning/IF102.html.\n\n\nIn addition to the eLearning course, CDSE also has a downloadable \xe2\x80\x9cOriginal\nClassification Authority Desktop Reference Guide,\xe2\x80\x9d to assist the same target audience\nwith each of the six steps involved in the original classification process. That document\nis on the CDSE job aids web page at:\nhttp://cdse.edu/documents/cdse/oca-desktop-reference.pdf.\n\n\nCDSE also offers a Security Short titled \xe2\x80\x9cRequirements for OCAs,\xe2\x80\x9d which provides an\noverview of the changes for OCAs resulting from the issuing of E.O. 13526. It includes a\nbrief review of the six steps of the original classification process and highlights the\nmandatory annual training requirement, as well as sanctions that can be imposed for\nfailure to timely complete that training.            The short can be viewed at:\nhttp://cdse.edu/shorts/information-security.html#.\n\n\nOriginal Classification is also discussed in two of CDSE\xe2\x80\x99s instructor-led courses; the\n\xe2\x80\x9cDoD Security Specialist Course,\xe2\x80\x9d and the \xe2\x80\x9cInformation Security Management Course.\xe2\x80\x9d\n\n\n\n\n                                 DODIG-2013-142 | 59\n\x0c            Center for Development of Security Excellence (CDSE) Course Offerings\n\n\n\n\nFor derivative classifiers, CDSE offers a two-hour eLearning course titled \xe2\x80\x9cDerivative\nClassification\xe2\x80\x9d that explains how to derivatively classify national security information\nfrom a classification management perspective. The course discusses the responsibilities\nassociated with derivatively classifying information, describes the process and methods\nfor derivatively classifying information, identifies authorized sources to use when\nderivatively classifying information, and explains how to apply authorized sources\nthrough derivatively classifying information based on the concepts of \xe2\x80\x9ccontained in,\xe2\x80\x9d\n\xe2\x80\x9crevealed by,\xe2\x80\x9d and \xe2\x80\x9ccompilation.\xe2\x80\x9d The target audience for this course is DoD military,\ncivilian, and contractor personnel responsible for derivatively classifying national\nsecurity     information.            Information      on     this     course      is     at:\nhttp://cdse.edu/catalog/elearning/IF103.html.       In addition to accessing the course\nthrough our Learning Management System (Security Training, Education, and\nProfessionalization Portal \xe2\x80\x93- STEPP), this course is available for access on an outside\nwebsite     that     does      not     require     registration.        The      link    is:\nhttp://cdsetrain.dtic.mil/derivative/.\n\n\nCDSE is also developing a \xe2\x80\x9cDerivative Classification Refresher Course\xe2\x80\x9d that is expected\nto be launched near the first part of FY 2014. The course will serve as a tool for\nderivative classifiers to obtain the required biennial training to maintain their\nderivative classification duties.\n\n\nIn addition to the eLearning course, CDSE also has a downloadable \xe2\x80\x9cDerivative\nClassification Training Guide\xe2\x80\x9d to assist the same target audience with understanding the\nderivative classification process. The guide is on the CDSE job aids web page at:\nhttp://cdse.edu/documents/cdse/DerivativeClassification.pdf.\n\n\nIn the area of classification conflicts, CDSE offers a 30-minute eLearning course titled\n\xe2\x80\x9cClassification Conflicts and Evaluations\xe2\x80\x9d that gives a broad overview of the\nclassification challenge process. Students examine the process for formal challenges to\nclassification decisions, the role of the Interagency Security Classification Appeals Panel,\nand the process for mandatory review. Information on that course can be seen at:\nhttp://cdse.edu/catalog/elearning/IF110.html.\n\n\nThe Course and Product Book has been updated and provides the latest CDSE course\nofferings. The Course and Product Book is at:\nhttp://www.cdse.edu/documents/cdse/courses-products-Aug2013.pdf\n\n\n\n                                    DODIG-2013-142 | 60\n\x0c            Center for Development of Security Excellence (CDSE) Course Offerings\n\n\n\n\nThe link to the student guides for CDSE courses, which includes the updates for E.O.\n13526 and DoD Manual 5200.01, Volumes 1 through 4, can be accessed once you log\ninto a STEPP account at:\nhttps://stepp.dss.mil/Sumtotal82/app/taxonomy/learnerSearch/LearnerSearch.aspx?\nRootNodeID=-1&NodeID=5452&UserMode=0\n\n\n\n\n                                DODIG-2013-142 | 61\n\x0c\x0c\x0c            Whistleblower Protection\n           U.S. Department of Defense\nThe Whistleblower Protection Enhancement Act of 2012 requires\nthe Inspector General to designate a Whistleblower Protection\nOmbudsman to educate agency employees about prohibitions on\nretaliation, and rights and remedies against retaliation for protected\ndisclosures. The designated ombudsman is the DoD IG Director for\nWhistleblowing & Transparency. For more information on your rights\nand remedies against retaliation, go to the Whistleblower webpage at\n              www.dodig.mil/programs/whistleblower.\n\n\n\n\n   For more information about DoD IG\n  reports or activities, please contact us:\n                       Congressional Liaison\n                           703.604.8324\n\n                            DoD Hotline\n                            800.424.9098\n\n                             Media Contact\n                Public.Affairs@dodig.mil; 703.604.8324\n\n                         Monthly Update\n                 dodigconnect-request@listserve.com\n\n                        Reports Mailing List\n                  dodig_report-request@listserve.com\n\n                               Twitter\n                         twitter.com/DoD_IG\n\x0c\x0c"